64 files changed, 47475 insertions, 14920 deletions

diff --git a/src/man/po/ar.po b/src/man/po/ar.po
index e0897519..70e61525 100644
--- a/src/man/po/ar.po
+++ b/src/man/po/ar.po
@@ -2,12 +2,13 @@
 # Copyright (C) YEAR Red Hat
 # This file is distributed under the same license as the sssd-docs package.
 #
+# Translators:
 msgid ""
 msgstr ""
 "Project-Id-Version: SSSD\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2011-08-29 10:42-0300\n"
-"PO-Revision-Date: 2011-08-05 11:37+0000\n"
+"POT-Creation-Date: 2011-10-18 13:34-0300\n"
+"PO-Revision-Date: 2010-12-23 15:35+0000\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Arabic <trans-ar@lists.fedoraproject.org>\n"
 "Language: ar\n"
@@ -53,7 +54,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:41
+#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:44
 #: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21
 #: sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_useradd.8.xml:30
 #: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30
@@ -69,7 +70,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:39 pam_sss.8.xml:48 sssd.8.xml:42 sss_obfuscate.8.xml:58
+#: sss_groupmod.8.xml:39 pam_sss.8.xml:51 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
 msgid "OPTIONS"
@@ -105,10 +106,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1106 sssd-ldap.5.xml:1432
-#: pam_sss.8.xml:128 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
+#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1130 sssd-ldap.5.xml:1432
+#: pam_sss.8.xml:139 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
 #: sssd-ipa.5.xml:248 sssd.8.xml:166 sss_obfuscate.8.xml:103
-#: sss_useradd.8.xml:167 sssd-krb5.5.xml:424 sss_groupadd.8.xml:58
+#: sss_useradd.8.xml:167 sssd-krb5.5.xml:427 sss_groupadd.8.xml:58
 #: sss_userdel.8.xml:93 sss_groupdel.8.xml:46 sss_groupshow.8.xml:58
 #: sss_usermod.8.xml:138
 msgid "SEE ALSO"
@@ -214,7 +215,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:70 sssd.conf.5.xml:952
+#: sssd.conf.5.xml:70 sssd.conf.5.xml:976
 msgid "Section parameters"
 msgstr ""
 
@@ -247,19 +248,19 @@ msgid "Supported services: nss, pam"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:93 sssd.conf.5.xml:234
+#: sssd.conf.5.xml:93 sssd.conf.5.xml:254
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:96 sssd.conf.5.xml:237
+#: sssd.conf.5.xml:96 sssd.conf.5.xml:257
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:101 sssd.conf.5.xml:242
+#: sssd.conf.5.xml:101 sssd.conf.5.xml:262
 msgid "Default: 3"
 msgstr ""
 
@@ -366,6 +367,32 @@ msgid ""
 "unavailable. On these platforms, polling will always be used."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:189
+msgid "krb5_rcache_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:192
+msgid ""
+"Directory on the filesystem where SSSD should store Kerberos replay cache "
+"files."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:196
+msgid ""
+"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
+"SSSD to let libkrb5 decide the appropriate location for the replay cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:202
+msgid ""
+"Default: Distribution-specific and specified at build-time. "
+"(__LIBKRB5_DEFAULTS__ if not configured)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:63
 msgid ""
@@ -378,12 +405,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:195
+#: sssd.conf.5.xml:215
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:197
+#: sssd.conf.5.xml:217
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -392,55 +419,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:204
+#: sssd.conf.5.xml:224
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:206
+#: sssd.conf.5.xml:226
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:210
+#: sssd.conf.5.xml:230
 msgid "debug_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:213
+#: sssd.conf.5.xml:233
 msgid ""
 "Sets the debug level for the service. The value can be in range from 0 (only "
 "critical messages) to 10 (very verbose)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:218 sssd.conf.5.xml:312
+#: sssd.conf.5.xml:238 sssd.conf.5.xml:332
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:223 sssd.8.xml:58
+#: sssd.conf.5.xml:243 sssd.8.xml:58
 msgid "debug_timestamps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:226 sssd.8.xml:61
+#: sssd.conf.5.xml:246 sssd.8.xml:61
 msgid "Add a timestamp to the debug messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:229 sssd.conf.5.xml:353 sssd-ldap.5.xml:1058
+#: sssd.conf.5.xml:249 sssd.conf.5.xml:373 sssd-ldap.5.xml:1058
 #: sssd-ldap.5.xml:1163 sssd-ipa.5.xml:155
 msgid "Default: true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:247
+#: sssd.conf.5.xml:267
 msgid "command (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:250
+#: sssd.conf.5.xml:270
 msgid ""
 "By default, the executable representing this service is called <command>sssd_"
 "${service_name}</command>.  This directive allows to change the executable "
@@ -449,45 +476,45 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:258
+#: sssd.conf.5.xml:278
 msgid "Default: <command>sssd_${service_name}</command>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:266
+#: sssd.conf.5.xml:286
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:268
+#: sssd.conf.5.xml:288
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:273
+#: sssd.conf.5.xml:293
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:276
+#: sssd.conf.5.xml:296
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:280
+#: sssd.conf.5.xml:300
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:285
+#: sssd.conf.5.xml:305
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:288
+#: sssd.conf.5.xml:308
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -495,7 +522,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:294
+#: sssd.conf.5.xml:314
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -505,7 +532,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304
+#: sssd.conf.5.xml:324
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -514,12 +541,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:317
+#: sssd.conf.5.xml:337
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:320
+#: sssd.conf.5.xml:340
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -527,17 +554,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:326 sssd-krb5.5.xml:223
+#: sssd.conf.5.xml:346 sssd-krb5.5.xml:223
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:331
+#: sssd.conf.5.xml:351
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:334
+#: sssd.conf.5.xml:354
 msgid ""
 "Exclude certain users from being fetched from the sss NSS database. This is "
 "particularly useful for system accounts. This option can also be set per-"
@@ -546,78 +573,78 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:341
+#: sssd.conf.5.xml:361
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:346
+#: sssd.conf.5.xml:366
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:369
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:358
+#: sssd.conf.5.xml:378
 msgid "override_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:367 sssd-krb5.5.xml:166
+#: sssd.conf.5.xml:387 sssd-krb5.5.xml:166
 msgid "%u"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:368 sssd-krb5.5.xml:167
+#: sssd.conf.5.xml:388 sssd-krb5.5.xml:167
 msgid "login name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:371 sssd-krb5.5.xml:170
+#: sssd.conf.5.xml:391 sssd-krb5.5.xml:170
 msgid "%U"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:392
 msgid "UID number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:375 sssd-krb5.5.xml:188
+#: sssd.conf.5.xml:395 sssd-krb5.5.xml:188
 msgid "%d"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:376
+#: sssd.conf.5.xml:396
 msgid "domain name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:379
+#: sssd.conf.5.xml:399
 msgid "%f"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:380
+#: sssd.conf.5.xml:400
 msgid "fully qualified user name (user@domain)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:383 sssd-krb5.5.xml:200
+#: sssd.conf.5.xml:403 sssd-krb5.5.xml:200
 msgid "%%"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:384 sssd-krb5.5.xml:201
+#: sssd.conf.5.xml:404 sssd-krb5.5.xml:201
 msgid "a literal '%'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:361
+#: sssd.conf.5.xml:381
 msgid ""
 "Override the user's home directory. You can either provide an absolute value "
 "or a template. In the template, the following sequences are substituted: "
@@ -625,138 +652,138 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:390
+#: sssd.conf.5.xml:410
 msgid "This option can also be set per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:395
+#: sssd.conf.5.xml:415
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:398
+#: sssd.conf.5.xml:418
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:401
+#: sssd.conf.5.xml:421
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:405
+#: sssd.conf.5.xml:425
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:410
+#: sssd.conf.5.xml:430
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:415
+#: sssd.conf.5.xml:435
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:418
+#: sssd.conf.5.xml:438
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:422
+#: sssd.conf.5.xml:442
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:427
+#: sssd.conf.5.xml:447
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:430
+#: sssd.conf.5.xml:450
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:435
+#: sssd.conf.5.xml:455
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:438
+#: sssd.conf.5.xml:458
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:442
+#: sssd.conf.5.xml:462
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:469
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:451
+#: sssd.conf.5.xml:471
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:456
+#: sssd.conf.5.xml:476
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:459
+#: sssd.conf.5.xml:479
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:464 sssd.conf.5.xml:477
+#: sssd.conf.5.xml:484 sssd.conf.5.xml:497
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:490
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:473
+#: sssd.conf.5.xml:493
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:483
+#: sssd.conf.5.xml:503
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:506
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:491
+#: sssd.conf.5.xml:511
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -764,59 +791,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:497 sssd.conf.5.xml:550 sssd.conf.5.xml:882
+#: sssd.conf.5.xml:517 sssd.conf.5.xml:570 sssd.conf.5.xml:906
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:523
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:506
+#: sssd.conf.5.xml:526
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:511
+#: sssd.conf.5.xml:531
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:514
+#: sssd.conf.5.xml:534
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:517
+#: sssd.conf.5.xml:537
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:541
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:524
+#: sssd.conf.5.xml:544
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:528
+#: sssd.conf.5.xml:548
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:533
+#: sssd.conf.5.xml:553
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:536
+#: sssd.conf.5.xml:556
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -824,7 +851,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:542
+#: sssd.conf.5.xml:562
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -833,17 +860,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:556
+#: sssd.conf.5.xml:576
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:559
+#: sssd.conf.5.xml:579
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:562
+#: sssd.conf.5.xml:582
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -851,29 +878,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:588
 msgid "Default: 7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:577
+#: sssd.conf.5.xml:597
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:584
+#: sssd.conf.5.xml:604
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:587
+#: sssd.conf.5.xml:607
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:592
+#: sssd.conf.5.xml:612
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -882,56 +909,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:599
+#: sssd.conf.5.xml:619
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:625
 msgid "timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:608
+#: sssd.conf.5.xml:628
 msgid ""
 "Timeout in seconds between heartbeats for this domain.  This is used to "
 "ensure that the backend process is alive and capable of answering requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:633
 msgid "Default: 10"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:639
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:642
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:626
+#: sssd.conf.5.xml:646
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:629
+#: sssd.conf.5.xml:649
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:632 sssd.conf.5.xml:680 sssd.conf.5.xml:734
+#: sssd.conf.5.xml:652 sssd.conf.5.xml:704 sssd.conf.5.xml:758
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:635
+#: sssd.conf.5.xml:655
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -941,14 +968,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:645
+#: sssd.conf.5.xml:665
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:650
+#: sssd.conf.5.xml:670
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -957,39 +984,44 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:661
+#: sssd.conf.5.xml:681
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:664
+#: sssd.conf.5.xml:684
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:688
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:693
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676
+#: sssd.conf.5.xml:696
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:700
+msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:685
+#: sssd.conf.5.xml:709
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:688
+#: sssd.conf.5.xml:712
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -998,47 +1030,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:695
+#: sssd.conf.5.xml:719
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:725
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:728
 msgid "The Data Provider identity backend to use for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:708
+#: sssd.conf.5.xml:732
 msgid "Supported backends:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:711
+#: sssd.conf.5.xml:735
 msgid "proxy: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:714
+#: sssd.conf.5.xml:738
 msgid "local: SSSD internal local provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:717
+#: sssd.conf.5.xml:741
 msgid "ldap: LDAP provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:747
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:750
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -1047,19 +1079,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:739
+#: sssd.conf.5.xml:763
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:766
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:746
+#: sssd.conf.5.xml:770
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1067,7 +1099,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:777
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1075,30 +1107,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:784
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:787
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:766
+#: sssd.conf.5.xml:790
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:796
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:775
+#: sssd.conf.5.xml:799
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -1106,17 +1138,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:781
+#: sssd.conf.5.xml:805
 msgid "<quote>permit</quote> always allow access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:784
+#: sssd.conf.5.xml:808
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:811
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -1125,24 +1157,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:818
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:823
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:826
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:831
 msgid ""
 "<quote>ipa</quote> to change a password stored in an IPA server.  See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -1150,7 +1182,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:815
+#: sssd.conf.5.xml:839
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -1158,7 +1190,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:823
+#: sssd.conf.5.xml:847
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1166,72 +1198,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:831
+#: sssd.conf.5.xml:855
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:835
+#: sssd.conf.5.xml:859
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838
+#: sssd.conf.5.xml:862
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:845
+#: sssd.conf.5.xml:869
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:848
+#: sssd.conf.5.xml:872
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:876
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:855
+#: sssd.conf.5.xml:879
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:858
+#: sssd.conf.5.xml:882
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:861
+#: sssd.conf.5.xml:885
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:864
+#: sssd.conf.5.xml:888
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:867
+#: sssd.conf.5.xml:891
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:873
+#: sssd.conf.5.xml:897
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:876
+#: sssd.conf.5.xml:900
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -1239,34 +1271,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:912
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:891
+#: sssd.conf.5.xml:915
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:919
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:901
+#: sssd.conf.5.xml:925
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:904
+#: sssd.conf.5.xml:928
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:579
+#: sssd.conf.5.xml:599
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -1274,29 +1306,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:940
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:943
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:922
+#: sssd.conf.5.xml:946
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:954
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:933
+#: sssd.conf.5.xml:957
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -1304,19 +1336,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:912
+#: sssd.conf.5.xml:936
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:945
+#: sssd.conf.5.xml:969
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:971
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -1324,73 +1356,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:954
+#: sssd.conf.5.xml:978
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:981
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:985
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:966
+#: sssd.conf.5.xml:990
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:969
+#: sssd.conf.5.xml:993
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974
+#: sssd.conf.5.xml:998
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1003
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1006
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986 sssd.conf.5.xml:998
+#: sssd.conf.5.xml:1010 sssd.conf.5.xml:1022
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:991
+#: sssd.conf.5.xml:1015
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:994
+#: sssd.conf.5.xml:1018
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1003
+#: sssd.conf.5.xml:1027
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1030
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -1398,17 +1430,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014
+#: sssd.conf.5.xml:1038
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1043
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1022
+#: sssd.conf.5.xml:1046
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -1417,17 +1449,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:1056
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1037
+#: sssd.conf.5.xml:1061
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1040
+#: sssd.conf.5.xml:1064
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -1435,17 +1467,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1047
+#: sssd.conf.5.xml:1071
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1076
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1055
+#: sssd.conf.5.xml:1079
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -1453,18 +1485,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1061
+#: sssd.conf.5.xml:1085
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1071 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
-#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:405
+#: sssd.conf.5.xml:1095 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
+#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:408
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:1077
+#: sssd.conf.5.xml:1101
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -1494,7 +1526,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1073
+#: sssd.conf.5.xml:1097
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -1503,7 +1535,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1108
+#: sssd.conf.5.xml:1132
 msgid ""
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
@@ -1603,10 +1635,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:88
 msgid ""
-"Specifies the list of URIs of the LDAP servers to which SSSD should connect "
-"in the order of preference to change the password of a user. Refer to the "
-"<quote>FAILOVER</quote> section for more information on failover and server "
-"redundancy."
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference to change the password of a user. "
+"Refer to the <quote>FAILOVER</quote> section for more information on "
+"failover and server redundancy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -2086,7 +2118,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:519 sssd-ldap.5.xml:990 sssd-ipa.5.xml:115 sssd.8.xml:64
-#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:266
+#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:269
 msgid "Default: false"
 msgstr ""
 
@@ -2527,7 +2559,7 @@ msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:356
+#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:359
 msgid "Default: not set"
 msgstr ""
 
@@ -2668,12 +2700,13 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:1080 sssd-krb5.5.xml:77
 msgid ""
-"Specifies the list of IP addresses or hostnames of the Kerberos servers to "
-"which SSSD should connect in the order of preference. For more information "
-"on failover and server redundancy, see the <quote>FAILOVER</quote> section. "
-"An optional port number (preceded by a colon) may be appended to the "
-"addresses or hostnames.  If empty, service discovery is enabled - for more "
-"information, refer to the <quote>SERVICE DISCOVERY</quote> section."
+"Specifies the comma-separated list of IP addresses or hostnames of the "
+"Kerberos servers to which SSSD should connect in the order of preference. "
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
+"colon) may be appended to the addresses or hostnames.  If empty, service "
+"discovery is enabled - for more information, refer to the <quote>SERVICE "
+"DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -3058,7 +3091,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ldap.5.xml:1407 sssd-simple.5.xml:134 sssd-ipa.5.xml:238
-#: sssd-krb5.5.xml:414
+#: sssd-krb5.5.xml:417
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -3105,7 +3138,8 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
 #: pam_sss.8.xml:24
 msgid ""
-"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>forward_pass</"
+"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
@@ -3113,7 +3147,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:42
+#: pam_sss.8.xml:45
 msgid ""
 "<command>pam_sss.so</command> is the PAM interface to the System Security "
 "Services daemon (SSSD). Errors and results are logged through <command>syslog"
@@ -3121,24 +3155,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:52
+#: pam_sss.8.xml:55
+msgid "<option>quiet</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:58
+msgid "Suppress log messages for unknown users."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:63
 msgid "<option>forward_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:55
+#: pam_sss.8.xml:66
 msgid ""
 "If <option>forward_pass</option> is set the entered password is put on the "
 "stack for other PAM modules to use."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:62
+#: pam_sss.8.xml:73
 msgid "<option>use_first_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:65
+#: pam_sss.8.xml:76
 msgid ""
 "The argument use_first_pass forces the module to use a previous stacked "
 "modules password and will never prompt the user - if no password is "
@@ -3146,31 +3190,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:73
+#: pam_sss.8.xml:84
 msgid "<option>use_authtok</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:76
+#: pam_sss.8.xml:87
 msgid ""
 "When password changing enforce the module to set the new password to the one "
 "provided by a previously stacked password module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:83
+#: pam_sss.8.xml:94
 msgid "<option>retry=N</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:86
+#: pam_sss.8.xml:97
 msgid ""
 "If specified the user is asked another N times for a password if "
 "authentication fails. Default is 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:88
+#: pam_sss.8.xml:99
 msgid ""
 "Please note that this option might not work as expected if the application "
 "calling PAM handles the user dialog on its own. A typical example is "
@@ -3178,24 +3222,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:99
+#: pam_sss.8.xml:110
 msgid "MODULE TYPES PROVIDED"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:100
+#: pam_sss.8.xml:111
 msgid ""
 "All module types (<option>account</option>, <option>auth</option>, "
 "<option>password</option> and <option>session</option>) are provided."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:106
+#: pam_sss.8.xml:117
 msgid "FILES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:107
+#: pam_sss.8.xml:118
 msgid ""
 "If a password reset by root fails, because the corresponding SSSD provider "
 "does not support password resets, an individual message can be displayed. "
@@ -3203,7 +3247,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:112
+#: pam_sss.8.xml:123
 msgid ""
 "The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
 "filename> where LOC stands for a locale string returned by <citerefentry> "
@@ -3215,7 +3259,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:122
+#: pam_sss.8.xml:133
 msgid ""
 "These files are searched in the directory <filename>/etc/sssd/customize/"
 "DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
@@ -3223,7 +3267,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:130
+#: pam_sss.8.xml:141
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>8</"
 "manvolnum> </citerefentry>"
@@ -3483,11 +3527,11 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ipa.5.xml:83
 msgid ""
-"The list of IP addresses or hostnames of the IPA servers to which SSSD "
-"should connect in the order of preference. For more information on failover "
-"and server redundancy, see the <quote>FAILOVER</quote> section.  This is "
-"optional if autodiscovery is enabled.  For more information on service "
-"discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
+"The comma-separated list of IP addresses or hostnames of the IPA servers to "
+"which SSSD should connect in the order of preference. For more information "
+"on failover and server redundancy, see the <quote>FAILOVER</quote> section.  "
+"This is optional if autodiscovery is enabled.  For more information on "
+"service discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
@@ -4303,48 +4347,50 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:262
 msgid ""
-"Please note that this feature currently only available on a Linux platform."
+"Please note that this feature currently only available on a Linux platform. "
+"Passwords stored in this way are kept in plaintext in the kernel keyring and "
+"are potentially accessible by the root user (with difficulty)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:272
+#: sssd-krb5.5.xml:275
 msgid "krb5_renewable_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:275
+#: sssd-krb5.5.xml:278
 msgid ""
 "Request a renewable ticket with a total lifetime given by an integer "
 "immediately followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:280 sssd-krb5.5.xml:316
+#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
 msgid "<emphasis>s</emphasis> seconds"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
+#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
 msgid "<emphasis>m</emphasis> minutes"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
+#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
 msgid "<emphasis>h</emphasis> hours"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
+#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
 msgid "<emphasis>d</emphasis> days."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
+#: sssd-krb5.5.xml:295 sssd-krb5.5.xml:331
 msgid "If there is no delimiter <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:296
+#: sssd-krb5.5.xml:299
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "renewable lifetime to one and a half hours please use '90m' instead of "
@@ -4352,97 +4398,97 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:302
+#: sssd-krb5.5.xml:305
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:308
+#: sssd-krb5.5.xml:311
 msgid "krb5_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:311
+#: sssd-krb5.5.xml:314
 msgid ""
 "Request ticket with a with a lifetime given by an integer immediately "
 "followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:332
+#: sssd-krb5.5.xml:335
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "lifetime to one and a half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:337
+#: sssd-krb5.5.xml:340
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:344
+#: sssd-krb5.5.xml:347
 msgid "krb5_renew_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:347
+#: sssd-krb5.5.xml:350
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:352
+#: sssd-krb5.5.xml:355
 msgid "If this option is not set or 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:362
+#: sssd-krb5.5.xml:365
 msgid "krb5_use_fast (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:365
+#: sssd-krb5.5.xml:368
 msgid ""
 "Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
 "authentication. The following options are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:370
+#: sssd-krb5.5.xml:373
 msgid ""
 "<emphasis>never</emphasis> use FAST, this is equivalent to not set this "
 "option at all."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:374
+#: sssd-krb5.5.xml:377
 msgid ""
 "<emphasis>try</emphasis> to use FAST, if the server does not support fast "
 "continue without."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:378
+#: sssd-krb5.5.xml:381
 msgid ""
 "<emphasis>demand</emphasis> to use FAST, fail if the server does not require "
 "fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:382
+#: sssd-krb5.5.xml:385
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:385
+#: sssd-krb5.5.xml:388
 msgid "Please note that a keytab is required to use fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:388
+#: sssd-krb5.5.xml:391
 msgid ""
 "Please note also that sssd supports fast only with MIT Kerberos version 1.8 "
 "and above. If sssd used used with an older version using this option is a "
@@ -4460,7 +4506,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:407
+#: sssd-krb5.5.xml:410
 msgid ""
 "The following example assumes that SSSD is correctly configured and FOO is "
 "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
@@ -4469,7 +4515,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-krb5.5.xml:415
+#: sssd-krb5.5.xml:418
 #, no-wrap
 msgid ""
 "    [domain/FOO]\n"
@@ -4479,7 +4525,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:426
+#: sssd-krb5.5.xml:429
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
diff --git a/src/man/po/as.po b/src/man/po/as.po
index 42df5fcd..0faeb69f 100644
--- a/src/man/po/as.po
+++ b/src/man/po/as.po
@@ -6,7 +6,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: SSSD\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2011-08-29 10:42-0300\n"
+"POT-Creation-Date: 2011-10-18 13:34-0300\n"
 "PO-Revision-Date: 2011-06-30 18:18+0000\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Assamese (http://www.transifex.net/projects/p/fedora/team/"
@@ -53,7 +53,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:41
+#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:44
 #: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21
 #: sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_useradd.8.xml:30
 #: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30
@@ -69,7 +69,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:39 pam_sss.8.xml:48 sssd.8.xml:42 sss_obfuscate.8.xml:58
+#: sss_groupmod.8.xml:39 pam_sss.8.xml:51 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
 msgid "OPTIONS"
@@ -105,10 +105,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1106 sssd-ldap.5.xml:1432
-#: pam_sss.8.xml:128 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
+#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1130 sssd-ldap.5.xml:1432
+#: pam_sss.8.xml:139 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
 #: sssd-ipa.5.xml:248 sssd.8.xml:166 sss_obfuscate.8.xml:103
-#: sss_useradd.8.xml:167 sssd-krb5.5.xml:424 sss_groupadd.8.xml:58
+#: sss_useradd.8.xml:167 sssd-krb5.5.xml:427 sss_groupadd.8.xml:58
 #: sss_userdel.8.xml:93 sss_groupdel.8.xml:46 sss_groupshow.8.xml:58
 #: sss_usermod.8.xml:138
 msgid "SEE ALSO"
@@ -214,7 +214,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:70 sssd.conf.5.xml:952
+#: sssd.conf.5.xml:70 sssd.conf.5.xml:976
 msgid "Section parameters"
 msgstr ""
 
@@ -247,19 +247,19 @@ msgid "Supported services: nss, pam"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:93 sssd.conf.5.xml:234
+#: sssd.conf.5.xml:93 sssd.conf.5.xml:254
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:96 sssd.conf.5.xml:237
+#: sssd.conf.5.xml:96 sssd.conf.5.xml:257
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:101 sssd.conf.5.xml:242
+#: sssd.conf.5.xml:101 sssd.conf.5.xml:262
 msgid "Default: 3"
 msgstr ""
 
@@ -366,6 +366,32 @@ msgid ""
 "unavailable. On these platforms, polling will always be used."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:189
+msgid "krb5_rcache_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:192
+msgid ""
+"Directory on the filesystem where SSSD should store Kerberos replay cache "
+"files."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:196
+msgid ""
+"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
+"SSSD to let libkrb5 decide the appropriate location for the replay cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:202
+msgid ""
+"Default: Distribution-specific and specified at build-time. "
+"(__LIBKRB5_DEFAULTS__ if not configured)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:63
 msgid ""
@@ -378,12 +404,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:195
+#: sssd.conf.5.xml:215
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:197
+#: sssd.conf.5.xml:217
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -392,55 +418,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:204
+#: sssd.conf.5.xml:224
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:206
+#: sssd.conf.5.xml:226
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:210
+#: sssd.conf.5.xml:230
 msgid "debug_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:213
+#: sssd.conf.5.xml:233
 msgid ""
 "Sets the debug level for the service. The value can be in range from 0 (only "
 "critical messages) to 10 (very verbose)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:218 sssd.conf.5.xml:312
+#: sssd.conf.5.xml:238 sssd.conf.5.xml:332
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:223 sssd.8.xml:58
+#: sssd.conf.5.xml:243 sssd.8.xml:58
 msgid "debug_timestamps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:226 sssd.8.xml:61
+#: sssd.conf.5.xml:246 sssd.8.xml:61
 msgid "Add a timestamp to the debug messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:229 sssd.conf.5.xml:353 sssd-ldap.5.xml:1058
+#: sssd.conf.5.xml:249 sssd.conf.5.xml:373 sssd-ldap.5.xml:1058
 #: sssd-ldap.5.xml:1163 sssd-ipa.5.xml:155
 msgid "Default: true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:247
+#: sssd.conf.5.xml:267
 msgid "command (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:250
+#: sssd.conf.5.xml:270
 msgid ""
 "By default, the executable representing this service is called <command>sssd_"
 "${service_name}</command>.  This directive allows to change the executable "
@@ -449,45 +475,45 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:258
+#: sssd.conf.5.xml:278
 msgid "Default: <command>sssd_${service_name}</command>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:266
+#: sssd.conf.5.xml:286
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:268
+#: sssd.conf.5.xml:288
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:273
+#: sssd.conf.5.xml:293
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:276
+#: sssd.conf.5.xml:296
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:280
+#: sssd.conf.5.xml:300
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:285
+#: sssd.conf.5.xml:305
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:288
+#: sssd.conf.5.xml:308
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -495,7 +521,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:294
+#: sssd.conf.5.xml:314
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -505,7 +531,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304
+#: sssd.conf.5.xml:324
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -514,12 +540,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:317
+#: sssd.conf.5.xml:337
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:320
+#: sssd.conf.5.xml:340
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -527,17 +553,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:326 sssd-krb5.5.xml:223
+#: sssd.conf.5.xml:346 sssd-krb5.5.xml:223
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:331
+#: sssd.conf.5.xml:351
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:334
+#: sssd.conf.5.xml:354
 msgid ""
 "Exclude certain users from being fetched from the sss NSS database. This is "
 "particularly useful for system accounts. This option can also be set per-"
@@ -546,78 +572,78 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:341
+#: sssd.conf.5.xml:361
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:346
+#: sssd.conf.5.xml:366
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:369
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:358
+#: sssd.conf.5.xml:378
 msgid "override_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:367 sssd-krb5.5.xml:166
+#: sssd.conf.5.xml:387 sssd-krb5.5.xml:166
 msgid "%u"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:368 sssd-krb5.5.xml:167
+#: sssd.conf.5.xml:388 sssd-krb5.5.xml:167
 msgid "login name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:371 sssd-krb5.5.xml:170
+#: sssd.conf.5.xml:391 sssd-krb5.5.xml:170
 msgid "%U"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:392
 msgid "UID number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:375 sssd-krb5.5.xml:188
+#: sssd.conf.5.xml:395 sssd-krb5.5.xml:188
 msgid "%d"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:376
+#: sssd.conf.5.xml:396
 msgid "domain name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:379
+#: sssd.conf.5.xml:399
 msgid "%f"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:380
+#: sssd.conf.5.xml:400
 msgid "fully qualified user name (user@domain)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:383 sssd-krb5.5.xml:200
+#: sssd.conf.5.xml:403 sssd-krb5.5.xml:200
 msgid "%%"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:384 sssd-krb5.5.xml:201
+#: sssd.conf.5.xml:404 sssd-krb5.5.xml:201
 msgid "a literal '%'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:361
+#: sssd.conf.5.xml:381
 msgid ""
 "Override the user's home directory. You can either provide an absolute value "
 "or a template. In the template, the following sequences are substituted: "
@@ -625,138 +651,138 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:390
+#: sssd.conf.5.xml:410
 msgid "This option can also be set per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:395
+#: sssd.conf.5.xml:415
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:398
+#: sssd.conf.5.xml:418
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:401
+#: sssd.conf.5.xml:421
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:405
+#: sssd.conf.5.xml:425
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:410
+#: sssd.conf.5.xml:430
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:415
+#: sssd.conf.5.xml:435
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:418
+#: sssd.conf.5.xml:438
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:422
+#: sssd.conf.5.xml:442
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:427
+#: sssd.conf.5.xml:447
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:430
+#: sssd.conf.5.xml:450
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:435
+#: sssd.conf.5.xml:455
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:438
+#: sssd.conf.5.xml:458
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:442
+#: sssd.conf.5.xml:462
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:469
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:451
+#: sssd.conf.5.xml:471
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:456
+#: sssd.conf.5.xml:476
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:459
+#: sssd.conf.5.xml:479
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:464 sssd.conf.5.xml:477
+#: sssd.conf.5.xml:484 sssd.conf.5.xml:497
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:490
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:473
+#: sssd.conf.5.xml:493
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:483
+#: sssd.conf.5.xml:503
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:506
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:491
+#: sssd.conf.5.xml:511
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -764,59 +790,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:497 sssd.conf.5.xml:550 sssd.conf.5.xml:882
+#: sssd.conf.5.xml:517 sssd.conf.5.xml:570 sssd.conf.5.xml:906
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:523
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:506
+#: sssd.conf.5.xml:526
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:511
+#: sssd.conf.5.xml:531
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:514
+#: sssd.conf.5.xml:534
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:517
+#: sssd.conf.5.xml:537
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:541
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:524
+#: sssd.conf.5.xml:544
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:528
+#: sssd.conf.5.xml:548
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:533
+#: sssd.conf.5.xml:553
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:536
+#: sssd.conf.5.xml:556
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -824,7 +850,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:542
+#: sssd.conf.5.xml:562
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -833,17 +859,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:556
+#: sssd.conf.5.xml:576
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:559
+#: sssd.conf.5.xml:579
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:562
+#: sssd.conf.5.xml:582
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -851,29 +877,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:588
 msgid "Default: 7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:577
+#: sssd.conf.5.xml:597
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:584
+#: sssd.conf.5.xml:604
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:587
+#: sssd.conf.5.xml:607
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:592
+#: sssd.conf.5.xml:612
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -882,56 +908,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:599
+#: sssd.conf.5.xml:619
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:625
 msgid "timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:608
+#: sssd.conf.5.xml:628
 msgid ""
 "Timeout in seconds between heartbeats for this domain.  This is used to "
 "ensure that the backend process is alive and capable of answering requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:633
 msgid "Default: 10"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:639
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:642
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:626
+#: sssd.conf.5.xml:646
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:629
+#: sssd.conf.5.xml:649
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:632 sssd.conf.5.xml:680 sssd.conf.5.xml:734
+#: sssd.conf.5.xml:652 sssd.conf.5.xml:704 sssd.conf.5.xml:758
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:635
+#: sssd.conf.5.xml:655
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -941,14 +967,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:645
+#: sssd.conf.5.xml:665
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:650
+#: sssd.conf.5.xml:670
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -957,39 +983,44 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:661
+#: sssd.conf.5.xml:681
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:664
+#: sssd.conf.5.xml:684
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:688
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:693
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676
+#: sssd.conf.5.xml:696
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:700
+msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:685
+#: sssd.conf.5.xml:709
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:688
+#: sssd.conf.5.xml:712
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -998,47 +1029,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:695
+#: sssd.conf.5.xml:719
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:725
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:728
 msgid "The Data Provider identity backend to use for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:708
+#: sssd.conf.5.xml:732
 msgid "Supported backends:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:711
+#: sssd.conf.5.xml:735
 msgid "proxy: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:714
+#: sssd.conf.5.xml:738
 msgid "local: SSSD internal local provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:717
+#: sssd.conf.5.xml:741
 msgid "ldap: LDAP provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:747
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:750
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -1047,19 +1078,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:739
+#: sssd.conf.5.xml:763
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:766
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:746
+#: sssd.conf.5.xml:770
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1067,7 +1098,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:777
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1075,30 +1106,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:784
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:787
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:766
+#: sssd.conf.5.xml:790
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:796
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:775
+#: sssd.conf.5.xml:799
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -1106,17 +1137,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:781
+#: sssd.conf.5.xml:805
 msgid "<quote>permit</quote> always allow access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:784
+#: sssd.conf.5.xml:808
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:811
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -1125,24 +1156,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:818
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:823
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:826
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:831
 msgid ""
 "<quote>ipa</quote> to change a password stored in an IPA server.  See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -1150,7 +1181,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:815
+#: sssd.conf.5.xml:839
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -1158,7 +1189,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:823
+#: sssd.conf.5.xml:847
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1166,72 +1197,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:831
+#: sssd.conf.5.xml:855
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:835
+#: sssd.conf.5.xml:859
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838
+#: sssd.conf.5.xml:862
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:845
+#: sssd.conf.5.xml:869
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:848
+#: sssd.conf.5.xml:872
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:876
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:855
+#: sssd.conf.5.xml:879
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:858
+#: sssd.conf.5.xml:882
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:861
+#: sssd.conf.5.xml:885
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:864
+#: sssd.conf.5.xml:888
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:867
+#: sssd.conf.5.xml:891
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:873
+#: sssd.conf.5.xml:897
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:876
+#: sssd.conf.5.xml:900
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -1239,34 +1270,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:912
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:891
+#: sssd.conf.5.xml:915
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:919
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:901
+#: sssd.conf.5.xml:925
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:904
+#: sssd.conf.5.xml:928
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:579
+#: sssd.conf.5.xml:599
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -1274,29 +1305,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:940
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:943
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:922
+#: sssd.conf.5.xml:946
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:954
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:933
+#: sssd.conf.5.xml:957
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -1304,19 +1335,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:912
+#: sssd.conf.5.xml:936
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:945
+#: sssd.conf.5.xml:969
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:971
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -1324,73 +1355,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:954
+#: sssd.conf.5.xml:978
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:981
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:985
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:966
+#: sssd.conf.5.xml:990
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:969
+#: sssd.conf.5.xml:993
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974
+#: sssd.conf.5.xml:998
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1003
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1006
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986 sssd.conf.5.xml:998
+#: sssd.conf.5.xml:1010 sssd.conf.5.xml:1022
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:991
+#: sssd.conf.5.xml:1015
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:994
+#: sssd.conf.5.xml:1018
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1003
+#: sssd.conf.5.xml:1027
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1030
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -1398,17 +1429,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014
+#: sssd.conf.5.xml:1038
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1043
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1022
+#: sssd.conf.5.xml:1046
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -1417,17 +1448,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:1056
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1037
+#: sssd.conf.5.xml:1061
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1040
+#: sssd.conf.5.xml:1064
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -1435,17 +1466,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1047
+#: sssd.conf.5.xml:1071
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1076
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1055
+#: sssd.conf.5.xml:1079
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -1453,18 +1484,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1061
+#: sssd.conf.5.xml:1085
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1071 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
-#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:405
+#: sssd.conf.5.xml:1095 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
+#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:408
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:1077
+#: sssd.conf.5.xml:1101
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -1494,7 +1525,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1073
+#: sssd.conf.5.xml:1097
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -1503,7 +1534,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1108
+#: sssd.conf.5.xml:1132
 msgid ""
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
@@ -1603,10 +1634,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:88
 msgid ""
-"Specifies the list of URIs of the LDAP servers to which SSSD should connect "
-"in the order of preference to change the password of a user. Refer to the "
-"<quote>FAILOVER</quote> section for more information on failover and server "
-"redundancy."
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference to change the password of a user. "
+"Refer to the <quote>FAILOVER</quote> section for more information on "
+"failover and server redundancy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -2086,7 +2117,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:519 sssd-ldap.5.xml:990 sssd-ipa.5.xml:115 sssd.8.xml:64
-#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:266
+#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:269
 msgid "Default: false"
 msgstr ""
 
@@ -2527,7 +2558,7 @@ msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:356
+#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:359
 msgid "Default: not set"
 msgstr ""
 
@@ -2668,12 +2699,13 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:1080 sssd-krb5.5.xml:77
 msgid ""
-"Specifies the list of IP addresses or hostnames of the Kerberos servers to "
-"which SSSD should connect in the order of preference. For more information "
-"on failover and server redundancy, see the <quote>FAILOVER</quote> section. "
-"An optional port number (preceded by a colon) may be appended to the "
-"addresses or hostnames.  If empty, service discovery is enabled - for more "
-"information, refer to the <quote>SERVICE DISCOVERY</quote> section."
+"Specifies the comma-separated list of IP addresses or hostnames of the "
+"Kerberos servers to which SSSD should connect in the order of preference. "
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
+"colon) may be appended to the addresses or hostnames.  If empty, service "
+"discovery is enabled - for more information, refer to the <quote>SERVICE "
+"DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -3058,7 +3090,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ldap.5.xml:1407 sssd-simple.5.xml:134 sssd-ipa.5.xml:238
-#: sssd-krb5.5.xml:414
+#: sssd-krb5.5.xml:417
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -3105,7 +3137,8 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
 #: pam_sss.8.xml:24
 msgid ""
-"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>forward_pass</"
+"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
@@ -3113,7 +3146,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:42
+#: pam_sss.8.xml:45
 msgid ""
 "<command>pam_sss.so</command> is the PAM interface to the System Security "
 "Services daemon (SSSD). Errors and results are logged through <command>syslog"
@@ -3121,24 +3154,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:52
+#: pam_sss.8.xml:55
+msgid "<option>quiet</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:58
+msgid "Suppress log messages for unknown users."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:63
 msgid "<option>forward_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:55
+#: pam_sss.8.xml:66
 msgid ""
 "If <option>forward_pass</option> is set the entered password is put on the "
 "stack for other PAM modules to use."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:62
+#: pam_sss.8.xml:73
 msgid "<option>use_first_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:65
+#: pam_sss.8.xml:76
 msgid ""
 "The argument use_first_pass forces the module to use a previous stacked "
 "modules password and will never prompt the user - if no password is "
@@ -3146,31 +3189,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:73
+#: pam_sss.8.xml:84
 msgid "<option>use_authtok</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:76
+#: pam_sss.8.xml:87
 msgid ""
 "When password changing enforce the module to set the new password to the one "
 "provided by a previously stacked password module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:83
+#: pam_sss.8.xml:94
 msgid "<option>retry=N</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:86
+#: pam_sss.8.xml:97
 msgid ""
 "If specified the user is asked another N times for a password if "
 "authentication fails. Default is 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:88
+#: pam_sss.8.xml:99
 msgid ""
 "Please note that this option might not work as expected if the application "
 "calling PAM handles the user dialog on its own. A typical example is "
@@ -3178,24 +3221,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:99
+#: pam_sss.8.xml:110
 msgid "MODULE TYPES PROVIDED"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:100
+#: pam_sss.8.xml:111
 msgid ""
 "All module types (<option>account</option>, <option>auth</option>, "
 "<option>password</option> and <option>session</option>) are provided."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:106
+#: pam_sss.8.xml:117
 msgid "FILES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:107
+#: pam_sss.8.xml:118
 msgid ""
 "If a password reset by root fails, because the corresponding SSSD provider "
 "does not support password resets, an individual message can be displayed. "
@@ -3203,7 +3246,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:112
+#: pam_sss.8.xml:123
 msgid ""
 "The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
 "filename> where LOC stands for a locale string returned by <citerefentry> "
@@ -3215,7 +3258,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:122
+#: pam_sss.8.xml:133
 msgid ""
 "These files are searched in the directory <filename>/etc/sssd/customize/"
 "DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
@@ -3223,7 +3266,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:130
+#: pam_sss.8.xml:141
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>8</"
 "manvolnum> </citerefentry>"
@@ -3483,11 +3526,11 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ipa.5.xml:83
 msgid ""
-"The list of IP addresses or hostnames of the IPA servers to which SSSD "
-"should connect in the order of preference. For more information on failover "
-"and server redundancy, see the <quote>FAILOVER</quote> section.  This is "
-"optional if autodiscovery is enabled.  For more information on service "
-"discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
+"The comma-separated list of IP addresses or hostnames of the IPA servers to "
+"which SSSD should connect in the order of preference. For more information "
+"on failover and server redundancy, see the <quote>FAILOVER</quote> section.  "
+"This is optional if autodiscovery is enabled.  For more information on "
+"service discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
@@ -4303,48 +4346,50 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:262
 msgid ""
-"Please note that this feature currently only available on a Linux platform."
+"Please note that this feature currently only available on a Linux platform. "
+"Passwords stored in this way are kept in plaintext in the kernel keyring and "
+"are potentially accessible by the root user (with difficulty)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:272
+#: sssd-krb5.5.xml:275
 msgid "krb5_renewable_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:275
+#: sssd-krb5.5.xml:278
 msgid ""
 "Request a renewable ticket with a total lifetime given by an integer "
 "immediately followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:280 sssd-krb5.5.xml:316
+#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
 msgid "<emphasis>s</emphasis> seconds"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
+#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
 msgid "<emphasis>m</emphasis> minutes"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
+#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
 msgid "<emphasis>h</emphasis> hours"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
+#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
 msgid "<emphasis>d</emphasis> days."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
+#: sssd-krb5.5.xml:295 sssd-krb5.5.xml:331
 msgid "If there is no delimiter <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:296
+#: sssd-krb5.5.xml:299
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "renewable lifetime to one and a half hours please use '90m' instead of "
@@ -4352,97 +4397,97 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:302
+#: sssd-krb5.5.xml:305
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:308
+#: sssd-krb5.5.xml:311
 msgid "krb5_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:311
+#: sssd-krb5.5.xml:314
 msgid ""
 "Request ticket with a with a lifetime given by an integer immediately "
 "followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:332
+#: sssd-krb5.5.xml:335
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "lifetime to one and a half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:337
+#: sssd-krb5.5.xml:340
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:344
+#: sssd-krb5.5.xml:347
 msgid "krb5_renew_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:347
+#: sssd-krb5.5.xml:350
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:352
+#: sssd-krb5.5.xml:355
 msgid "If this option is not set or 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:362
+#: sssd-krb5.5.xml:365
 msgid "krb5_use_fast (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:365
+#: sssd-krb5.5.xml:368
 msgid ""
 "Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
 "authentication. The following options are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:370
+#: sssd-krb5.5.xml:373
 msgid ""
 "<emphasis>never</emphasis> use FAST, this is equivalent to not set this "
 "option at all."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:374
+#: sssd-krb5.5.xml:377
 msgid ""
 "<emphasis>try</emphasis> to use FAST, if the server does not support fast "
 "continue without."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:378
+#: sssd-krb5.5.xml:381
 msgid ""
 "<emphasis>demand</emphasis> to use FAST, fail if the server does not require "
 "fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:382
+#: sssd-krb5.5.xml:385
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:385
+#: sssd-krb5.5.xml:388
 msgid "Please note that a keytab is required to use fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:388
+#: sssd-krb5.5.xml:391
 msgid ""
 "Please note also that sssd supports fast only with MIT Kerberos version 1.8 "
 "and above. If sssd used used with an older version using this option is a "
@@ -4460,7 +4505,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:407
+#: sssd-krb5.5.xml:410
 msgid ""
 "The following example assumes that SSSD is correctly configured and FOO is "
 "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
@@ -4469,7 +4514,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-krb5.5.xml:415
+#: sssd-krb5.5.xml:418
 #, no-wrap
 msgid ""
 "    [domain/FOO]\n"
@@ -4479,7 +4524,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:426
+#: sssd-krb5.5.xml:429
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
diff --git a/src/man/po/bal.po b/src/man/po/bal.po
index b3cebc81..bf9be67a 100644
--- a/src/man/po/bal.po
+++ b/src/man/po/bal.po
@@ -2,12 +2,13 @@
 # Copyright (C) YEAR Red Hat
 # This file is distributed under the same license as the sssd-docs package.
 #
+# Translators:
 msgid ""
 msgstr ""
 "Project-Id-Version: SSSD\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2011-08-29 10:42-0300\n"
-"PO-Revision-Date: 2011-08-05 11:40+0000\n"
+"POT-Creation-Date: 2011-10-18 13:34-0300\n"
+"PO-Revision-Date: 2010-12-23 15:35+0000\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Balochi <trans-bal@lists.fedoraproject.org>\n"
 "Language: bal\n"
@@ -52,7 +53,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:41
+#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:44
 #: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21
 #: sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_useradd.8.xml:30
 #: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30
@@ -68,7 +69,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:39 pam_sss.8.xml:48 sssd.8.xml:42 sss_obfuscate.8.xml:58
+#: sss_groupmod.8.xml:39 pam_sss.8.xml:51 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
 msgid "OPTIONS"
@@ -104,10 +105,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1106 sssd-ldap.5.xml:1432
-#: pam_sss.8.xml:128 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
+#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1130 sssd-ldap.5.xml:1432
+#: pam_sss.8.xml:139 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
 #: sssd-ipa.5.xml:248 sssd.8.xml:166 sss_obfuscate.8.xml:103
-#: sss_useradd.8.xml:167 sssd-krb5.5.xml:424 sss_groupadd.8.xml:58
+#: sss_useradd.8.xml:167 sssd-krb5.5.xml:427 sss_groupadd.8.xml:58
 #: sss_userdel.8.xml:93 sss_groupdel.8.xml:46 sss_groupshow.8.xml:58
 #: sss_usermod.8.xml:138
 msgid "SEE ALSO"
@@ -213,7 +214,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:70 sssd.conf.5.xml:952
+#: sssd.conf.5.xml:70 sssd.conf.5.xml:976
 msgid "Section parameters"
 msgstr ""
 
@@ -246,19 +247,19 @@ msgid "Supported services: nss, pam"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:93 sssd.conf.5.xml:234
+#: sssd.conf.5.xml:93 sssd.conf.5.xml:254
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:96 sssd.conf.5.xml:237
+#: sssd.conf.5.xml:96 sssd.conf.5.xml:257
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:101 sssd.conf.5.xml:242
+#: sssd.conf.5.xml:101 sssd.conf.5.xml:262
 msgid "Default: 3"
 msgstr ""
 
@@ -365,6 +366,32 @@ msgid ""
 "unavailable. On these platforms, polling will always be used."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:189
+msgid "krb5_rcache_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:192
+msgid ""
+"Directory on the filesystem where SSSD should store Kerberos replay cache "
+"files."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:196
+msgid ""
+"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
+"SSSD to let libkrb5 decide the appropriate location for the replay cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:202
+msgid ""
+"Default: Distribution-specific and specified at build-time. "
+"(__LIBKRB5_DEFAULTS__ if not configured)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:63
 msgid ""
@@ -377,12 +404,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:195
+#: sssd.conf.5.xml:215
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:197
+#: sssd.conf.5.xml:217
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -391,55 +418,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:204
+#: sssd.conf.5.xml:224
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:206
+#: sssd.conf.5.xml:226
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:210
+#: sssd.conf.5.xml:230
 msgid "debug_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:213
+#: sssd.conf.5.xml:233
 msgid ""
 "Sets the debug level for the service. The value can be in range from 0 (only "
 "critical messages) to 10 (very verbose)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:218 sssd.conf.5.xml:312
+#: sssd.conf.5.xml:238 sssd.conf.5.xml:332
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:223 sssd.8.xml:58
+#: sssd.conf.5.xml:243 sssd.8.xml:58
 msgid "debug_timestamps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:226 sssd.8.xml:61
+#: sssd.conf.5.xml:246 sssd.8.xml:61
 msgid "Add a timestamp to the debug messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:229 sssd.conf.5.xml:353 sssd-ldap.5.xml:1058
+#: sssd.conf.5.xml:249 sssd.conf.5.xml:373 sssd-ldap.5.xml:1058
 #: sssd-ldap.5.xml:1163 sssd-ipa.5.xml:155
 msgid "Default: true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:247
+#: sssd.conf.5.xml:267
 msgid "command (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:250
+#: sssd.conf.5.xml:270
 msgid ""
 "By default, the executable representing this service is called <command>sssd_"
 "${service_name}</command>.  This directive allows to change the executable "
@@ -448,45 +475,45 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:258
+#: sssd.conf.5.xml:278
 msgid "Default: <command>sssd_${service_name}</command>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:266
+#: sssd.conf.5.xml:286
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:268
+#: sssd.conf.5.xml:288
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:273
+#: sssd.conf.5.xml:293
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:276
+#: sssd.conf.5.xml:296
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:280
+#: sssd.conf.5.xml:300
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:285
+#: sssd.conf.5.xml:305
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:288
+#: sssd.conf.5.xml:308
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -494,7 +521,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:294
+#: sssd.conf.5.xml:314
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -504,7 +531,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304
+#: sssd.conf.5.xml:324
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -513,12 +540,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:317
+#: sssd.conf.5.xml:337
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:320
+#: sssd.conf.5.xml:340
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -526,17 +553,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:326 sssd-krb5.5.xml:223
+#: sssd.conf.5.xml:346 sssd-krb5.5.xml:223
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:331
+#: sssd.conf.5.xml:351
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:334
+#: sssd.conf.5.xml:354
 msgid ""
 "Exclude certain users from being fetched from the sss NSS database. This is "
 "particularly useful for system accounts. This option can also be set per-"
@@ -545,78 +572,78 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:341
+#: sssd.conf.5.xml:361
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:346
+#: sssd.conf.5.xml:366
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:369
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:358
+#: sssd.conf.5.xml:378
 msgid "override_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:367 sssd-krb5.5.xml:166
+#: sssd.conf.5.xml:387 sssd-krb5.5.xml:166
 msgid "%u"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:368 sssd-krb5.5.xml:167
+#: sssd.conf.5.xml:388 sssd-krb5.5.xml:167
 msgid "login name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:371 sssd-krb5.5.xml:170
+#: sssd.conf.5.xml:391 sssd-krb5.5.xml:170
 msgid "%U"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:392
 msgid "UID number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:375 sssd-krb5.5.xml:188
+#: sssd.conf.5.xml:395 sssd-krb5.5.xml:188
 msgid "%d"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:376
+#: sssd.conf.5.xml:396
 msgid "domain name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:379
+#: sssd.conf.5.xml:399
 msgid "%f"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:380
+#: sssd.conf.5.xml:400
 msgid "fully qualified user name (user@domain)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:383 sssd-krb5.5.xml:200
+#: sssd.conf.5.xml:403 sssd-krb5.5.xml:200
 msgid "%%"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:384 sssd-krb5.5.xml:201
+#: sssd.conf.5.xml:404 sssd-krb5.5.xml:201
 msgid "a literal '%'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:361
+#: sssd.conf.5.xml:381
 msgid ""
 "Override the user's home directory. You can either provide an absolute value "
 "or a template. In the template, the following sequences are substituted: "
@@ -624,138 +651,138 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:390
+#: sssd.conf.5.xml:410
 msgid "This option can also be set per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:395
+#: sssd.conf.5.xml:415
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:398
+#: sssd.conf.5.xml:418
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:401
+#: sssd.conf.5.xml:421
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:405
+#: sssd.conf.5.xml:425
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:410
+#: sssd.conf.5.xml:430
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:415
+#: sssd.conf.5.xml:435
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:418
+#: sssd.conf.5.xml:438
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:422
+#: sssd.conf.5.xml:442
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:427
+#: sssd.conf.5.xml:447
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:430
+#: sssd.conf.5.xml:450
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:435
+#: sssd.conf.5.xml:455
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:438
+#: sssd.conf.5.xml:458
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:442
+#: sssd.conf.5.xml:462
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:469
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:451
+#: sssd.conf.5.xml:471
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:456
+#: sssd.conf.5.xml:476
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:459
+#: sssd.conf.5.xml:479
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:464 sssd.conf.5.xml:477
+#: sssd.conf.5.xml:484 sssd.conf.5.xml:497
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:490
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:473
+#: sssd.conf.5.xml:493
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:483
+#: sssd.conf.5.xml:503
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:506
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:491
+#: sssd.conf.5.xml:511
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -763,59 +790,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:497 sssd.conf.5.xml:550 sssd.conf.5.xml:882
+#: sssd.conf.5.xml:517 sssd.conf.5.xml:570 sssd.conf.5.xml:906
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:523
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:506
+#: sssd.conf.5.xml:526
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:511
+#: sssd.conf.5.xml:531
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:514
+#: sssd.conf.5.xml:534
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:517
+#: sssd.conf.5.xml:537
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:541
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:524
+#: sssd.conf.5.xml:544
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:528
+#: sssd.conf.5.xml:548
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:533
+#: sssd.conf.5.xml:553
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:536
+#: sssd.conf.5.xml:556
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -823,7 +850,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:542
+#: sssd.conf.5.xml:562
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -832,17 +859,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:556
+#: sssd.conf.5.xml:576
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:559
+#: sssd.conf.5.xml:579
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:562
+#: sssd.conf.5.xml:582
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -850,29 +877,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:588
 msgid "Default: 7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:577
+#: sssd.conf.5.xml:597
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:584
+#: sssd.conf.5.xml:604
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:587
+#: sssd.conf.5.xml:607
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:592
+#: sssd.conf.5.xml:612
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -881,56 +908,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:599
+#: sssd.conf.5.xml:619
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:625
 msgid "timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:608
+#: sssd.conf.5.xml:628
 msgid ""
 "Timeout in seconds between heartbeats for this domain.  This is used to "
 "ensure that the backend process is alive and capable of answering requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:633
 msgid "Default: 10"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:639
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:642
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:626
+#: sssd.conf.5.xml:646
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:629
+#: sssd.conf.5.xml:649
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:632 sssd.conf.5.xml:680 sssd.conf.5.xml:734
+#: sssd.conf.5.xml:652 sssd.conf.5.xml:704 sssd.conf.5.xml:758
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:635
+#: sssd.conf.5.xml:655
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -940,14 +967,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:645
+#: sssd.conf.5.xml:665
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:650
+#: sssd.conf.5.xml:670
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -956,39 +983,44 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:661
+#: sssd.conf.5.xml:681
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:664
+#: sssd.conf.5.xml:684
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:688
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:693
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676
+#: sssd.conf.5.xml:696
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:700
+msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:685
+#: sssd.conf.5.xml:709
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:688
+#: sssd.conf.5.xml:712
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -997,47 +1029,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:695
+#: sssd.conf.5.xml:719
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:725
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:728
 msgid "The Data Provider identity backend to use for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:708
+#: sssd.conf.5.xml:732
 msgid "Supported backends:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:711
+#: sssd.conf.5.xml:735
 msgid "proxy: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:714
+#: sssd.conf.5.xml:738
 msgid "local: SSSD internal local provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:717
+#: sssd.conf.5.xml:741
 msgid "ldap: LDAP provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:747
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:750
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -1046,19 +1078,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:739
+#: sssd.conf.5.xml:763
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:766
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:746
+#: sssd.conf.5.xml:770
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1066,7 +1098,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:777
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1074,30 +1106,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:784
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:787
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:766
+#: sssd.conf.5.xml:790
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:796
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:775
+#: sssd.conf.5.xml:799
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -1105,17 +1137,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:781
+#: sssd.conf.5.xml:805
 msgid "<quote>permit</quote> always allow access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:784
+#: sssd.conf.5.xml:808
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:811
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -1124,24 +1156,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:818
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:823
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:826
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:831
 msgid ""
 "<quote>ipa</quote> to change a password stored in an IPA server.  See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -1149,7 +1181,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:815
+#: sssd.conf.5.xml:839
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -1157,7 +1189,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:823
+#: sssd.conf.5.xml:847
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1165,72 +1197,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:831
+#: sssd.conf.5.xml:855
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:835
+#: sssd.conf.5.xml:859
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838
+#: sssd.conf.5.xml:862
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:845
+#: sssd.conf.5.xml:869
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:848
+#: sssd.conf.5.xml:872
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:876
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:855
+#: sssd.conf.5.xml:879
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:858
+#: sssd.conf.5.xml:882
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:861
+#: sssd.conf.5.xml:885
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:864
+#: sssd.conf.5.xml:888
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:867
+#: sssd.conf.5.xml:891
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:873
+#: sssd.conf.5.xml:897
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:876
+#: sssd.conf.5.xml:900
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -1238,34 +1270,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:912
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:891
+#: sssd.conf.5.xml:915
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:919
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:901
+#: sssd.conf.5.xml:925
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:904
+#: sssd.conf.5.xml:928
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:579
+#: sssd.conf.5.xml:599
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -1273,29 +1305,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:940
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:943
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:922
+#: sssd.conf.5.xml:946
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:954
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:933
+#: sssd.conf.5.xml:957
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -1303,19 +1335,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:912
+#: sssd.conf.5.xml:936
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:945
+#: sssd.conf.5.xml:969
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:971
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -1323,73 +1355,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:954
+#: sssd.conf.5.xml:978
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:981
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:985
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:966
+#: sssd.conf.5.xml:990
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:969
+#: sssd.conf.5.xml:993
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974
+#: sssd.conf.5.xml:998
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1003
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1006
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986 sssd.conf.5.xml:998
+#: sssd.conf.5.xml:1010 sssd.conf.5.xml:1022
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:991
+#: sssd.conf.5.xml:1015
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:994
+#: sssd.conf.5.xml:1018
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1003
+#: sssd.conf.5.xml:1027
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1030
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -1397,17 +1429,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014
+#: sssd.conf.5.xml:1038
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1043
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1022
+#: sssd.conf.5.xml:1046
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -1416,17 +1448,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:1056
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1037
+#: sssd.conf.5.xml:1061
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1040
+#: sssd.conf.5.xml:1064
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -1434,17 +1466,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1047
+#: sssd.conf.5.xml:1071
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1076
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1055
+#: sssd.conf.5.xml:1079
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -1452,18 +1484,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1061
+#: sssd.conf.5.xml:1085
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1071 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
-#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:405
+#: sssd.conf.5.xml:1095 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
+#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:408
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:1077
+#: sssd.conf.5.xml:1101
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -1493,7 +1525,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1073
+#: sssd.conf.5.xml:1097
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -1502,7 +1534,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1108
+#: sssd.conf.5.xml:1132
 msgid ""
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
@@ -1602,10 +1634,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:88
 msgid ""
-"Specifies the list of URIs of the LDAP servers to which SSSD should connect "
-"in the order of preference to change the password of a user. Refer to the "
-"<quote>FAILOVER</quote> section for more information on failover and server "
-"redundancy."
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference to change the password of a user. "
+"Refer to the <quote>FAILOVER</quote> section for more information on "
+"failover and server redundancy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -2085,7 +2117,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:519 sssd-ldap.5.xml:990 sssd-ipa.5.xml:115 sssd.8.xml:64
-#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:266
+#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:269
 msgid "Default: false"
 msgstr ""
 
@@ -2526,7 +2558,7 @@ msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:356
+#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:359
 msgid "Default: not set"
 msgstr ""
 
@@ -2667,12 +2699,13 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:1080 sssd-krb5.5.xml:77
 msgid ""
-"Specifies the list of IP addresses or hostnames of the Kerberos servers to "
-"which SSSD should connect in the order of preference. For more information "
-"on failover and server redundancy, see the <quote>FAILOVER</quote> section. "
-"An optional port number (preceded by a colon) may be appended to the "
-"addresses or hostnames.  If empty, service discovery is enabled - for more "
-"information, refer to the <quote>SERVICE DISCOVERY</quote> section."
+"Specifies the comma-separated list of IP addresses or hostnames of the "
+"Kerberos servers to which SSSD should connect in the order of preference. "
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
+"colon) may be appended to the addresses or hostnames.  If empty, service "
+"discovery is enabled - for more information, refer to the <quote>SERVICE "
+"DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -3057,7 +3090,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ldap.5.xml:1407 sssd-simple.5.xml:134 sssd-ipa.5.xml:238
-#: sssd-krb5.5.xml:414
+#: sssd-krb5.5.xml:417
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -3104,7 +3137,8 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
 #: pam_sss.8.xml:24
 msgid ""
-"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>forward_pass</"
+"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
@@ -3112,7 +3146,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:42
+#: pam_sss.8.xml:45
 msgid ""
 "<command>pam_sss.so</command> is the PAM interface to the System Security "
 "Services daemon (SSSD). Errors and results are logged through <command>syslog"
@@ -3120,24 +3154,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:52
+#: pam_sss.8.xml:55
+msgid "<option>quiet</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:58
+msgid "Suppress log messages for unknown users."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:63
 msgid "<option>forward_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:55
+#: pam_sss.8.xml:66
 msgid ""
 "If <option>forward_pass</option> is set the entered password is put on the "
 "stack for other PAM modules to use."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:62
+#: pam_sss.8.xml:73
 msgid "<option>use_first_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:65
+#: pam_sss.8.xml:76
 msgid ""
 "The argument use_first_pass forces the module to use a previous stacked "
 "modules password and will never prompt the user - if no password is "
@@ -3145,31 +3189,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:73
+#: pam_sss.8.xml:84
 msgid "<option>use_authtok</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:76
+#: pam_sss.8.xml:87
 msgid ""
 "When password changing enforce the module to set the new password to the one "
 "provided by a previously stacked password module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:83
+#: pam_sss.8.xml:94
 msgid "<option>retry=N</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:86
+#: pam_sss.8.xml:97
 msgid ""
 "If specified the user is asked another N times for a password if "
 "authentication fails. Default is 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:88
+#: pam_sss.8.xml:99
 msgid ""
 "Please note that this option might not work as expected if the application "
 "calling PAM handles the user dialog on its own. A typical example is "
@@ -3177,24 +3221,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:99
+#: pam_sss.8.xml:110
 msgid "MODULE TYPES PROVIDED"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:100
+#: pam_sss.8.xml:111
 msgid ""
 "All module types (<option>account</option>, <option>auth</option>, "
 "<option>password</option> and <option>session</option>) are provided."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:106
+#: pam_sss.8.xml:117
 msgid "FILES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:107
+#: pam_sss.8.xml:118
 msgid ""
 "If a password reset by root fails, because the corresponding SSSD provider "
 "does not support password resets, an individual message can be displayed. "
@@ -3202,7 +3246,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:112
+#: pam_sss.8.xml:123
 msgid ""
 "The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
 "filename> where LOC stands for a locale string returned by <citerefentry> "
@@ -3214,7 +3258,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:122
+#: pam_sss.8.xml:133
 msgid ""
 "These files are searched in the directory <filename>/etc/sssd/customize/"
 "DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
@@ -3222,7 +3266,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:130
+#: pam_sss.8.xml:141
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>8</"
 "manvolnum> </citerefentry>"
@@ -3482,11 +3526,11 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ipa.5.xml:83
 msgid ""
-"The list of IP addresses or hostnames of the IPA servers to which SSSD "
-"should connect in the order of preference. For more information on failover "
-"and server redundancy, see the <quote>FAILOVER</quote> section.  This is "
-"optional if autodiscovery is enabled.  For more information on service "
-"discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
+"The comma-separated list of IP addresses or hostnames of the IPA servers to "
+"which SSSD should connect in the order of preference. For more information "
+"on failover and server redundancy, see the <quote>FAILOVER</quote> section.  "
+"This is optional if autodiscovery is enabled.  For more information on "
+"service discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
@@ -4302,48 +4346,50 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:262
 msgid ""
-"Please note that this feature currently only available on a Linux platform."
+"Please note that this feature currently only available on a Linux platform. "
+"Passwords stored in this way are kept in plaintext in the kernel keyring and "
+"are potentially accessible by the root user (with difficulty)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:272
+#: sssd-krb5.5.xml:275
 msgid "krb5_renewable_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:275
+#: sssd-krb5.5.xml:278
 msgid ""
 "Request a renewable ticket with a total lifetime given by an integer "
 "immediately followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:280 sssd-krb5.5.xml:316
+#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
 msgid "<emphasis>s</emphasis> seconds"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
+#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
 msgid "<emphasis>m</emphasis> minutes"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
+#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
 msgid "<emphasis>h</emphasis> hours"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
+#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
 msgid "<emphasis>d</emphasis> days."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
+#: sssd-krb5.5.xml:295 sssd-krb5.5.xml:331
 msgid "If there is no delimiter <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:296
+#: sssd-krb5.5.xml:299
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "renewable lifetime to one and a half hours please use '90m' instead of "
@@ -4351,97 +4397,97 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:302
+#: sssd-krb5.5.xml:305
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:308
+#: sssd-krb5.5.xml:311
 msgid "krb5_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:311
+#: sssd-krb5.5.xml:314
 msgid ""
 "Request ticket with a with a lifetime given by an integer immediately "
 "followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:332
+#: sssd-krb5.5.xml:335
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "lifetime to one and a half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:337
+#: sssd-krb5.5.xml:340
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:344
+#: sssd-krb5.5.xml:347
 msgid "krb5_renew_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:347
+#: sssd-krb5.5.xml:350
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:352
+#: sssd-krb5.5.xml:355
 msgid "If this option is not set or 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:362
+#: sssd-krb5.5.xml:365
 msgid "krb5_use_fast (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:365
+#: sssd-krb5.5.xml:368
 msgid ""
 "Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
 "authentication. The following options are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:370
+#: sssd-krb5.5.xml:373
 msgid ""
 "<emphasis>never</emphasis> use FAST, this is equivalent to not set this "
 "option at all."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:374
+#: sssd-krb5.5.xml:377
 msgid ""
 "<emphasis>try</emphasis> to use FAST, if the server does not support fast "
 "continue without."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:378
+#: sssd-krb5.5.xml:381
 msgid ""
 "<emphasis>demand</emphasis> to use FAST, fail if the server does not require "
 "fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:382
+#: sssd-krb5.5.xml:385
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:385
+#: sssd-krb5.5.xml:388
 msgid "Please note that a keytab is required to use fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:388
+#: sssd-krb5.5.xml:391
 msgid ""
 "Please note also that sssd supports fast only with MIT Kerberos version 1.8 "
 "and above. If sssd used used with an older version using this option is a "
@@ -4459,7 +4505,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:407
+#: sssd-krb5.5.xml:410
 msgid ""
 "The following example assumes that SSSD is correctly configured and FOO is "
 "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
@@ -4468,7 +4514,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-krb5.5.xml:415
+#: sssd-krb5.5.xml:418
 #, no-wrap
 msgid ""
 "    [domain/FOO]\n"
@@ -4478,7 +4524,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:426
+#: sssd-krb5.5.xml:429
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
diff --git a/src/man/po/bn.po b/src/man/po/bn.po
new file mode 100644
index 00000000..a963dbef
--- /dev/null
+++ b/src/man/po/bn.po
@@ -0,0 +1,4991 @@
+# SOME DESCRIPTIVE TITLE
+# Copyright (C) YEAR Red Hat
+# This file is distributed under the same license as the sssd-docs package.
+#
+# Translators:
+msgid ""
+msgstr ""
+"Project-Id-Version: SSSD\n"
+"Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
+"POT-Creation-Date: 2011-10-18 13:34-0300\n"
+"PO-Revision-Date: 2010-12-23 15:35+0000\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: Bengali <info@ankur.org.bd>\n"
+"Language: bn\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"Plural-Forms: nplurals=2; plural=(n != 1)\n"
+
+#. type: Content of: <reference><title>
+#: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5
+#: sssd_krb5_locator_plugin.8.xml:5 sssd-simple.5.xml:5 sssd-ipa.5.xml:5
+#: sssd.8.xml:5 sss_obfuscate.8.xml:5 sss_useradd.8.xml:5 sssd-krb5.5.xml:5
+#: sss_groupadd.8.xml:5 sss_userdel.8.xml:5 sss_groupdel.8.xml:5
+#: sss_groupshow.8.xml:5 sss_usermod.8.xml:5
+msgid "SSSD Manual pages"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sss_groupmod.8.xml:10 sss_groupmod.8.xml:15
+msgid "sss_groupmod"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refmeta><manvolnum>
+#: sss_groupmod.8.xml:11 pam_sss.8.xml:14 sssd_krb5_locator_plugin.8.xml:11
+#: sssd.8.xml:11 sss_obfuscate.8.xml:11 sss_useradd.8.xml:11
+#: sss_groupadd.8.xml:11 sss_userdel.8.xml:11 sss_groupdel.8.xml:11
+#: sss_groupshow.8.xml:11 sss_usermod.8.xml:11
+msgid "8"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sss_groupmod.8.xml:16
+msgid "modify a group"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: sss_groupmod.8.xml:21
+msgid ""
+"<command>sss_groupmod</command> <arg choice='opt'> <replaceable>options</"
+"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></"
+"arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:44
+#: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21
+#: sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_useradd.8.xml:30
+#: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30
+#: sss_groupdel.8.xml:30 sss_groupshow.8.xml:30 sss_usermod.8.xml:30
+msgid "DESCRIPTION"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_groupmod.8.xml:32
+msgid ""
+"<command>sss_groupmod</command> modifies the group to reflect the changes "
+"that are specified on the command line."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sss_groupmod.8.xml:39 pam_sss.8.xml:51 sssd.8.xml:42 sss_obfuscate.8.xml:58
+#: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
+#: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
+msgid "OPTIONS"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_groupmod.8.xml:43 sss_usermod.8.xml:77
+msgid ""
+"<option>-a</option>,<option>--append-group</option> <replaceable>GROUPS</"
+"replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_groupmod.8.xml:48
+msgid ""
+"Append this group to groups specified by the <replaceable>GROUPS</"
+"replaceable> parameter.  The <replaceable>GROUPS</replaceable> parameter is "
+"a comma separated list of group names."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_groupmod.8.xml:57 sss_usermod.8.xml:91
+msgid ""
+"<option>-r</option>,<option>--remove-group</option> <replaceable>GROUPS</"
+"replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_groupmod.8.xml:62
+msgid ""
+"Remove this group from groups specified by the <replaceable>GROUPS</"
+"replaceable> parameter."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1130 sssd-ldap.5.xml:1432
+#: pam_sss.8.xml:139 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
+#: sssd-ipa.5.xml:248 sssd.8.xml:166 sss_obfuscate.8.xml:103
+#: sss_useradd.8.xml:167 sssd-krb5.5.xml:427 sss_groupadd.8.xml:58
+#: sss_userdel.8.xml:93 sss_groupdel.8.xml:46 sss_groupshow.8.xml:58
+#: sss_usermod.8.xml:138
+msgid "SEE ALSO"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_groupmod.8.xml:74
+msgid ""
+"<citerefentry> <refentrytitle>sss_groupdel</refentrytitle><manvolnum>8</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupadd</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_useradd</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_usermod</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd.conf.5.xml:10 sssd.conf.5.xml:16
+msgid "sssd.conf"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refmeta><manvolnum>
+#: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11
+#: sssd-ipa.5.xml:11 sssd-krb5.5.xml:11
+msgid "5"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refmeta><refmiscinfo>
+#: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12
+#: sssd-ipa.5.xml:12 sssd-krb5.5.xml:12
+msgid "File Formats and Conventions"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sssd.conf.5.xml:17 sssd-ldap.5.xml:17 sssd_krb5_locator_plugin.8.xml:16
+#: sssd-ipa.5.xml:17 sssd-krb5.5.xml:17
+msgid "the configuration file for SSSD"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd.conf.5.xml:21
+msgid "FILE FORMAT"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd.conf.5.xml:29
+#, no-wrap
+msgid ""
+"                <replaceable>[section]</replaceable>\n"
+"                <replaceable>key</replaceable> = <replaceable>value</replaceable>\n"
+"                <replaceable>key2</replaceable> = <replaceable>value2,value3</replaceable>\n"
+"            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:24
+msgid ""
+"The file has an ini-style syntax and consists of sections and parameters. A "
+"section begins with the name of the section in square brackets and continues "
+"until the next section begins. An example of section with single and multi-"
+"valued parameters: <placeholder type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:36
+msgid ""
+"The data types used are string (no quotes needed), integer and bool (with "
+"values of <quote>TRUE/FALSE</quote>)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:41
+msgid ""
+"A line comment starts with a hash sign (<quote>#</quote>) or a semicolon "
+"(<quote>;</quote>)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:46
+msgid ""
+"All sections can have an optional <replaceable>description</replaceable> "
+"parameter. Its function is only as a label for the section."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:52
+msgid ""
+"<filename>sssd.conf</filename> must be a regular file, owned by root and "
+"only root may read from or write to the file."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd.conf.5.xml:58
+msgid "SPECIAL SECTIONS"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><title>
+#: sssd.conf.5.xml:61
+msgid "The [sssd] section"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
+#: sssd.conf.5.xml:70 sssd.conf.5.xml:976
+msgid "Section parameters"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:72
+msgid "config_file_version (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:75
+msgid ""
+"Indicates what is the syntax of the config file. SSSD 0.6.0 and later use "
+"version 2."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:81
+msgid "services"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:84
+msgid ""
+"Comma separated list of services that are started when sssd itself starts."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:88
+msgid "Supported services: nss, pam"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:93 sssd.conf.5.xml:254
+msgid "reconnection_retries (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:96 sssd.conf.5.xml:257
+msgid ""
+"Number of times services should attempt to reconnect in the event of a Data "
+"Provider crash or restart before they give up"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:101 sssd.conf.5.xml:262
+msgid "Default: 3"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:106
+msgid "domains"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:109
+msgid ""
+"A domain is a database containing user information. SSSD can use more "
+"domains at the same time, but at least one must be configured or SSSD won't "
+"start.  This parameter described the list of domains in the order you want "
+"them to be queried."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:119
+msgid "re_expression (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:122
+msgid ""
+"Regular expression that describes how to parse the string containing user "
+"name and domain into these components."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:126
+msgid ""
+"Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
+"which translates to \"the name is everything up to the <quote>@</quote> "
+"sign, the domain everything after that\""
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:131
+msgid ""
+"PLEASE NOTE: the support for non-unique named subpatterns is not available "
+"on all platforms (e.g. RHEL5 and SLES10). Only platforms with libpcre "
+"version 7 or higher can support non-unique named subpatterns."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:138
+msgid ""
+"PLEASE NOTE ALSO: older version of libpcre only support the Python syntax (?"
+"P&lt;name&gt;) to label subpatterns."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:145
+msgid "full_name_format (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:148
+msgid ""
+"A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
+"manvolnum> </citerefentry>-compatible format that describes how to translate "
+"a (name, domain) tuple into a fully qualified name."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:156
+msgid "Default: <quote>%1$s@%2$s</quote>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:161
+msgid "try_inotify (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:164
+msgid ""
+"SSSD monitors the state of resolv.conf to identify when it needs to update "
+"its internal DNS resolver. By default, we will attempt to use inotify for "
+"this, and will fall back to polling resolv.conf every five seconds if "
+"inotify cannot be used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:172
+msgid ""
+"There are some limited situations where it is preferred that we should skip "
+"even trying to use inotify. In these rare cases, this option should be set "
+"to 'false'"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:178
+msgid ""
+"Default: true on platforms where inotify is supported. False on other "
+"platforms."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:182
+msgid ""
+"Note: this option will have no effect on platforms where inotify is "
+"unavailable. On these platforms, polling will always be used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:189
+msgid "krb5_rcache_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:192
+msgid ""
+"Directory on the filesystem where SSSD should store Kerberos replay cache "
+"files."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:196
+msgid ""
+"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
+"SSSD to let libkrb5 decide the appropriate location for the replay cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:202
+msgid ""
+"Default: Distribution-specific and specified at build-time. "
+"(__LIBKRB5_DEFAULTS__ if not configured)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sssd.conf.5.xml:63
+msgid ""
+"Individual pieces of SSSD functionality are provided by special SSSD "
+"services that are started and stopped together with SSSD.  The services are "
+"managed by a special service frequently called <quote>monitor</quote>. The "
+"<quote>[sssd]</quote> section is used to configure the monitor as well as "
+"some other important options like the identity domains.  <placeholder type="
+"\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd.conf.5.xml:215
+msgid "SERVICES SECTIONS"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:217
+msgid ""
+"Settings that can be used to configure different services are described in "
+"this section. They should reside in the [<replaceable>$NAME</replaceable>] "
+"section, for example, for NSS service, the section would be <quote>[nss]</"
+"quote>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><title>
+#: sssd.conf.5.xml:224
+msgid "General service configuration options"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sssd.conf.5.xml:226
+msgid "These options can be used to configure any service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:230
+msgid "debug_level (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:233
+msgid ""
+"Sets the debug level for the service. The value can be in range from 0 (only "
+"critical messages) to 10 (very verbose)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:238 sssd.conf.5.xml:332
+msgid "Default: 0"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:243 sssd.8.xml:58
+msgid "debug_timestamps (bool)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:246 sssd.8.xml:61
+msgid "Add a timestamp to the debug messages"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:249 sssd.conf.5.xml:373 sssd-ldap.5.xml:1058
+#: sssd-ldap.5.xml:1163 sssd-ipa.5.xml:155
+msgid "Default: true"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:267
+msgid "command (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:270
+msgid ""
+"By default, the executable representing this service is called <command>sssd_"
+"${service_name}</command>.  This directive allows to change the executable "
+"name for the service. In the vast majority of configurations, the default "
+"values should suffice."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:278
+msgid "Default: <command>sssd_${service_name}</command>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><title>
+#: sssd.conf.5.xml:286
+msgid "NSS configuration options"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sssd.conf.5.xml:288
+msgid ""
+"These options can be used to configure the Name Service Switch (NSS) service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:293
+msgid "enum_cache_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:296
+msgid ""
+"How many seconds should nss_sss cache enumerations (requests for info about "
+"all users)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:300
+msgid "Default: 120"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:305
+msgid "entry_cache_nowait_percentage (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:308
+msgid ""
+"The entry cache can be set to automatically update entries in the background "
+"if they are requested beyond a percentage of the entry_cache_timeout value "
+"for the domain."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:314
+msgid ""
+"For example, if the domain's entry_cache_timeout is set to 30s and "
+"entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
+"after 15 seconds past the last cache update will be returned immediately, "
+"but the SSSD will go and update the cache on its own, so that future "
+"requests will not need to block waiting for a cache update."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:324
+msgid ""
+"Valid values for this option are 0-99 and represent a percentage of the "
+"entry_cache_timeout for each domain. For performance reasons, this "
+"percentage will never reduce the nowait timeout to less than 10 seconds.  (0 "
+"disables this feature)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:337
+msgid "entry_negative_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:340
+msgid ""
+"Specifies for how many seconds nss_sss should cache negative cache hits "
+"(that is, queries for invalid database entries, like nonexistent ones)  "
+"before asking the back end again."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:346 sssd-krb5.5.xml:223
+msgid "Default: 15"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:351
+msgid "filter_users, filter_groups (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:354
+msgid ""
+"Exclude certain users from being fetched from the sss NSS database. This is "
+"particularly useful for system accounts. This option can also be set per-"
+"domain or include fully-qualified names to filter only users from the "
+"particular domain."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:361
+msgid "Default: root"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:366
+msgid "filter_users_in_groups (bool)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:369
+msgid ""
+"If you want filtered user still be group members set this option to false."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:378
+msgid "override_homedir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:387 sssd-krb5.5.xml:166
+msgid "%u"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:388 sssd-krb5.5.xml:167
+msgid "login name"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:391 sssd-krb5.5.xml:170
+msgid "%U"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:392
+msgid "UID number"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:395 sssd-krb5.5.xml:188
+msgid "%d"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:396
+msgid "domain name"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:399
+msgid "%f"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:400
+msgid "fully qualified user name (user@domain)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:403 sssd-krb5.5.xml:200
+msgid "%%"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:404 sssd-krb5.5.xml:201
+msgid "a literal '%'"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:381
+msgid ""
+"Override the user's home directory. You can either provide an absolute value "
+"or a template. In the template, the following sequences are substituted: "
+"<placeholder type=\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:410
+msgid "This option can also be set per-domain."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:415
+msgid "allowed_shells (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:418
+msgid ""
+"Restrict user shell to one of the listed values. The order of evaluation is:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:421
+msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:425
+msgid ""
+"2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
+"quote>, use the value of the shell_fallback parameter."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:430
+msgid ""
+"3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
+"shells</quote>, a nologin shell is used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:435
+msgid "An empty string for shell is passed as-is to libc."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:438
+msgid ""
+"The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
+"that a restart of the SSSD is required in case a new shell is installed."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:442
+msgid "Default: Not set. The user shell is automatically used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:447
+msgid "vetoed_shells (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:450
+msgid "Replace any instance of these shells with the shell_fallback"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:455
+msgid "shell_fallback (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:458
+msgid ""
+"The default shell to use if an allowed shell is not installed on the machine."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:462
+msgid "Default: /bin/sh"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><title>
+#: sssd.conf.5.xml:469
+msgid "PAM configuration options"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sssd.conf.5.xml:471
+msgid ""
+"These options can be used to configure the Pluggable Authentication Module "
+"(PAM) service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:476
+msgid "offline_credentials_expiration (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:479
+msgid ""
+"If the authentication provider is offline, how long should we allow cached "
+"logins (in days since the last successful online login)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:484 sssd.conf.5.xml:497
+msgid "Default: 0 (No limit)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:490
+msgid "offline_failed_login_attempts (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:493
+msgid ""
+"If the authentication provider is offline, how many failed login attempts "
+"are allowed."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:503
+msgid "offline_failed_login_delay (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:506
+msgid ""
+"The time in minutes which has to pass after offline_failed_login_attempts "
+"has been reached before a new login attempt is possible."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:511
+msgid ""
+"If set to 0 the user cannot authenticate offline if "
+"offline_failed_login_attempts has been reached. Only a successful online "
+"authentication can enable enable offline authentication again."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:517 sssd.conf.5.xml:570 sssd.conf.5.xml:906
+msgid "Default: 5"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:523
+msgid "pam_verbosity (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:526
+msgid ""
+"Controls what kind of messages are shown to the user during authentication. "
+"The higher the number to more messages are displayed."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:531
+msgid "Currently sssd supports the following values:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:534
+msgid "<emphasis>0</emphasis>: do not show any message"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:537
+msgid "<emphasis>1</emphasis>: show only important messages"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:541
+msgid "<emphasis>2</emphasis>: show informational messages"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:544
+msgid "<emphasis>3</emphasis>: show all messages and debug information"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:548
+msgid "Default: 1"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:553
+msgid "pam_id_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:556
+msgid ""
+"For any PAM request while SSSD is online, the SSSD will attempt to "
+"immediately update the cached identity information for the user in order to "
+"ensure that authentication takes place with the latest information."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:562
+msgid ""
+"A complete PAM conversation may perform multiple PAM requests, such as "
+"account management and session opening. This option controls (on a per-"
+"client-application basis) how long (in seconds) we can cache the identity "
+"information to avoid excessive round-trips to the identity provider."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:576
+msgid "pam_pwd_expiration_warning (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:579
+msgid "Display a warning N days before the password expires."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:582
+msgid ""
+"Please note that the backend server has to provide information about the "
+"expiration time of the password.  If this information is missing, sssd "
+"cannot display a warning."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:588
+msgid "Default: 7"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd.conf.5.xml:597
+msgid "DOMAIN SECTIONS"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:604
+msgid "min_id,max_id (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:607
+msgid ""
+"UID and GID limits for the domain. If a domain contains an entry that is "
+"outside these limits, it is ignored."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:612
+msgid ""
+"For users, this affects the primary GID limit. The user will not be returned "
+"to NSS if either the UID or the primary GID is outside the range. For non-"
+"primary group memberships, those that are in range will be reported as "
+"expected."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:619
+msgid "Default: 1 for min_id, 0 (no limit) for max_id"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:625
+msgid "timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:628
+msgid ""
+"Timeout in seconds between heartbeats for this domain.  This is used to "
+"ensure that the backend process is alive and capable of answering requests."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:633
+msgid "Default: 10"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:639
+msgid "enumerate (bool)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:642
+msgid ""
+"Determines if a domain can be enumerated. This parameter can have one of the "
+"following values:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:646
+msgid "TRUE = Users and groups are enumerated"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:649
+msgid "FALSE = No enumerations for this domain"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:652 sssd.conf.5.xml:704 sssd.conf.5.xml:758
+msgid "Default: FALSE"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:655
+msgid ""
+"Note: Enabling enumeration has a moderate performance impact on SSSD while "
+"enumeration is running. It may take up to several minutes after SSSD startup "
+"to fully complete enumerations.  During this time, individual requests for "
+"information will go directly to LDAP, though it may be slow, due to the "
+"heavy enumeration processing."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:665
+msgid ""
+"While the first enumeration is running, requests for the complete user or "
+"group lists may return no results until it completes."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:670
+msgid ""
+"Further, enabling enumeration may increase the time necessary to detect "
+"network disconnection, as longer timeouts are required to ensure that "
+"enumeration lookups are completed successfully.  For more information, refer "
+"to the man pages for the specific id_provider in use."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:681
+msgid "entry_cache_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:684
+msgid ""
+"How many seconds should nss_sss consider entries valid before asking the "
+"backend again"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:688
+msgid "Default: 5400"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:693
+msgid "cache_credentials (bool)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:696
+msgid "Determines if user credentials are also cached in the local LDB cache"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:700
+msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:709
+msgid "account_cache_expiration (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:712
+msgid ""
+"Number of days entries are left in cache after last successful login before "
+"being removed during a cleanup of the cache. 0 means keep forever.  The "
+"value of this parameter must be greater than or equal to "
+"offline_credentials_expiration."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:719
+msgid "Default: 0 (unlimited)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:725
+msgid "id_provider (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:728
+msgid "The Data Provider identity backend to use for this domain."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:732
+msgid "Supported backends:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:735
+msgid "proxy: Support a legacy NSS provider"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:738
+msgid "local: SSSD internal local provider"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:741
+msgid "ldap: LDAP provider"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:747
+msgid "use_fully_qualified_names (bool)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:750
+msgid ""
+"If set to TRUE, all requests to this domain must use fully qualified names. "
+"For example, if used in LOCAL domain that contains a \"test\" user, "
+"<command>getent passwd test</command> wouldn't find the user while "
+"<command>getent passwd test@LOCAL</command> would."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:763
+msgid "auth_provider (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:766
+msgid ""
+"The authentication provider used for the domain.  Supported auth providers "
+"are:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:770
+msgid ""
+"<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
+"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+"citerefentry> for more information on configuring LDAP."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:777
+msgid ""
+"<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
+"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
+"citerefentry> for more information on configuring Kerberos."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:784
+msgid ""
+"<quote>proxy</quote> for relaying authentication to some other PAM target."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:787
+msgid "<quote>none</quote> disables authentication explicitly."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:790
+msgid ""
+"Default: <quote>id_provider</quote> is used if it is set and can handle "
+"authentication requests."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:796
+msgid "access_provider (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:799
+msgid ""
+"The access control provider used for the domain.  There are two built-in "
+"access providers (in addition to any included in installed backends)  "
+"Internal special providers are:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:805
+msgid "<quote>permit</quote> always allow access."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:808
+msgid "<quote>deny</quote> always deny access."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:811
+msgid ""
+"<quote>simple</quote> access control based on access or deny lists. See "
+"<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
+"manvolnum></citerefentry> for more information on configuring the simple "
+"access module."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:818
+msgid "Default: <quote>permit</quote>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:823
+msgid "chpass_provider (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:826
+msgid ""
+"The provider which should handle change password operations for the domain.  "
+"Supported change password providers are:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:831
+msgid ""
+"<quote>ipa</quote> to change a password stored in an IPA server.  See "
+"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> for more information on configuring IPA."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:839
+msgid ""
+"<quote>ldap</quote> to change a password stored in a LDAP server.  See "
+"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> for more information on configuring LDAP."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:847
+msgid ""
+"<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
+"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
+"citerefentry> for more information on configuring Kerberos."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:855
+msgid ""
+"<quote>proxy</quote> for relaying password changes to some other PAM target."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:859
+msgid "<quote>none</quote> disallows password changes explicitly."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:862
+msgid ""
+"Default: <quote>auth_provider</quote> is used if it is set and can handle "
+"change password requests."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:869
+msgid "lookup_family_order (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:872
+msgid ""
+"Provides the ability to select preferred address family to use when "
+"performing DNS lookups."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:876
+msgid "Supported values:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:879
+msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:882
+msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:885
+msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:888
+msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:891
+msgid "Default: ipv4_first"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:897
+msgid "dns_resolver_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:900
+msgid ""
+"Defines the amount of time (in seconds) to wait for a reply from the DNS "
+"resolver before assuming that it is unreachable. If this timeout is reached, "
+"the domain will continue to operate in offline mode."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:912
+msgid "dns_discovery_domain (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:915
+msgid ""
+"If service discovery is used in the back end, specifies the domain part of "
+"the service discovery DNS query."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:919
+msgid "Default: Use the domain part of machine's hostname"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:925
+msgid "override_gid (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:928
+msgid "Override the primary GID value with the one specified."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:599
+msgid ""
+"These configuration options can be present in a domain configuration "
+"section, that is, in a section called <quote>[domain/<replaceable>NAME</"
+"replaceable>]</quote> <placeholder type=\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:940
+msgid "proxy_pam_target (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:943
+msgid "The proxy target PAM proxies to."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:946
+msgid ""
+"Default: not set by default, you have to take an existing pam configuration "
+"or create a new one and add the service name here."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:954
+msgid "proxy_lib_name (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:957
+msgid ""
+"The name of the NSS library to use in proxy domains. The NSS functions "
+"searched for in the library are in the form of _nss_$(libName)_$(function), "
+"for example _nss_files_getpwent."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:936
+msgid ""
+"Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
+"\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><title>
+#: sssd.conf.5.xml:969
+msgid "The local domain section"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sssd.conf.5.xml:971
+msgid ""
+"This section contains settings for domain that stores users and groups in "
+"SSSD native database, that is, a domain that uses "
+"<replaceable>id_provider=local</replaceable>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:978
+msgid "default_shell (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:981
+msgid "The default shell for users created with SSSD userspace tools."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:985
+msgid "Default: <filename>/bin/bash</filename>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:990
+msgid "base_directory (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:993
+msgid ""
+"The tools append the login name to <replaceable>base_directory</replaceable> "
+"and use that as the home directory."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:998
+msgid "Default: <filename>/home</filename>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1003
+msgid "create_homedir (bool)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1006
+msgid ""
+"Indicate if a home directory should be created by default for new users.  "
+"Can be overridden on command line."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1010 sssd.conf.5.xml:1022
+msgid "Default: TRUE"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1015
+msgid "remove_homedir (bool)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1018
+msgid ""
+"Indicate if a home directory should be removed by default for deleted "
+"users.  Can be overridden on command line."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1027
+msgid "homedir_umask (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1030
+msgid ""
+"Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
+"<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
+"on a newly created home directory."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1038
+msgid "Default: 077"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1043
+msgid "skel_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1046
+msgid ""
+"The skeleton directory, which contains files and directories to be copied in "
+"the user's home directory, when the home directory is created by "
+"<citerefentry> <refentrytitle>sss_useradd</refentrytitle> <manvolnum>8</"
+"manvolnum> </citerefentry>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1056
+msgid "Default: <filename>/etc/skel</filename>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1061
+msgid "mail_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1064
+msgid ""
+"The mail spool directory. This is needed to manipulate the mailbox when its "
+"corresponding user account is modified or deleted.  If not specified, a "
+"default value is used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1071
+msgid "Default: <filename>/var/mail</filename>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1076
+msgid "userdel_cmd (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1079
+msgid ""
+"The command that is run after a user is removed.  The command us passed the "
+"username of the user being removed as the first and only parameter. The "
+"return code of the command is not taken into account."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1085
+msgid "Default: None, no command is run"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd.conf.5.xml:1095 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
+#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:408
+msgid "EXAMPLE"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd.conf.5.xml:1101
+#, no-wrap
+msgid ""
+"[sssd]\n"
+"domains = LDAP\n"
+"services = nss, pam\n"
+"config_file_version = 2\n"
+"\n"
+"[nss]\n"
+"filter_groups = root\n"
+"filter_users = root\n"
+"\n"
+"[pam]\n"
+"\n"
+"[domain/LDAP]\n"
+"id_provider = ldap\n"
+"ldap_uri = ldap://ldap.example.com\n"
+"ldap_search_base = dc=example,dc=com\n"
+"\n"
+"auth_provider = krb5\n"
+"krb5_server = kerberos.example.com\n"
+"krb5_realm = EXAMPLE.COM\n"
+"cache_credentials = true\n"
+"\n"
+"min_id = 10000\n"
+"max_id = 20000\n"
+"enumerate = False\n"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:1097
+msgid ""
+"The following example shows a typical SSSD config. It does not describe "
+"configuration of the domains themselves - refer to documentation on "
+"configuring domains for more details.  <placeholder type=\"programlisting\" "
+"id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:1132
+msgid ""
+"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
+"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_groupdel</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_groupmod</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_useradd</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_usermod</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>pam_sss</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd-ldap.5.xml:10 sssd-ldap.5.xml:16
+msgid "sssd-ldap"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ldap.5.xml:23
+msgid ""
+"This manual page describes the configuration of LDAP domains for "
+"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
+"</citerefentry>.  Refer to the <quote>FILE FORMAT</quote> section of the "
+"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> manual page for detailed syntax information."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ldap.5.xml:35
+msgid "You can configure SSSD to use more than one LDAP domain."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ldap.5.xml:38
+msgid ""
+"LDAP back end supports id, auth, access and chpass providers. If you want to "
+"authenticate against an LDAP server either TLS/SSL or LDAPS is required. "
+"<command>sssd</command> <emphasis>does not</emphasis> support authentication "
+"over an unencrypted channel.  If the LDAP server is used only as an identity "
+"provider, an encrypted channel is not needed. Please refer to "
+"<quote>ldap_access_filter</quote> config option for more information about "
+"using LDAP as an access provider."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:61
+#: sssd-krb5.5.xml:63
+msgid "CONFIGURATION OPTIONS"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:60
+msgid "ldap_uri (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:63
+msgid ""
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference. Refer to the <quote>FAILOVER</"
+"quote> section for more information on failover and server redundancy.  If "
+"not specified, service discovery is enabled. For more information, refer to "
+"the <quote>SERVICE DISCOVERY</quote> section."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:70
+msgid "The format of the URI must match the format defined in RFC 2732:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:73
+msgid "ldap[s]://&lt;host&gt;[:port]"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:76
+msgid ""
+"For explicit IPv6 addresses, &lt;host&gt; must be enclosed in brackets []"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:79
+msgid "example: ldap://[fc00::126:25]:389"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:85
+msgid "ldap_chpass_uri (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:88
+msgid ""
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference to change the password of a user. "
+"Refer to the <quote>FAILOVER</quote> section for more information on "
+"failover and server redundancy."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:95
+msgid "To enable service discovery ldap_chpass_dns_service_name must be set."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:99
+msgid "Default: empty, i.e. ldap_uri is used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:105
+msgid "ldap_search_base (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:108
+msgid "The default base DN to use for performing LDAP user operations."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:112
+msgid ""
+"Default: If not set the value of the defaultNamingContext or namingContexts "
+"attribute from the RootDSE of the LDAP server is used. If "
+"defaultNamingContext does not exists or has an empty value namingContexts is "
+"used.  The namingContexts attribute must have a single value with the DN of "
+"the search base of the LDAP server to make this work. Multiple values are "
+"are not supported."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:126
+msgid "ldap_schema (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:129
+msgid ""
+"Specifies the Schema Type in use on the target LDAP server.  Depending on "
+"the selected schema, the default attribute names retrieved from the servers "
+"may vary.  The way that some attributes are handled may also differ.  Three "
+"schema types are currently supported: rfc2307 rfc2307bis IPA The main "
+"difference between these schema types is how group memberships are recorded "
+"in the server.  With rfc2307, group members are listed by name in the "
+"<emphasis>memberUid</emphasis> attribute.  With rfc2307bis and IPA, group "
+"members are listed by DN and stored in the <emphasis>member</emphasis> "
+"attribute."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:148
+msgid "Default: rfc2307"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:154
+msgid "ldap_default_bind_dn (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:157
+msgid "The default bind DN to use for performing LDAP operations."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:164
+msgid "ldap_default_authtok_type (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:167
+msgid "The type of the authentication token of the default bind DN."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:171
+msgid "The two mechanisms currently supported are:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:174
+msgid "password"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:177
+msgid "obfuscated_password"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:180
+msgid "Default: password"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:186
+msgid "ldap_default_authtok (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:189
+msgid ""
+"The authentication token of the default bind DN.  Only clear text passwords "
+"are currently supported."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:196
+msgid "ldap_user_object_class (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:199
+msgid "The object class of a user entry in LDAP."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:202
+msgid "Default: posixAccount"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:208
+msgid "ldap_user_name (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:211
+msgid "The LDAP attribute that corresponds to the user's login name."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:215
+msgid "Default: uid"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:221
+msgid "ldap_user_uid_number (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:224
+msgid "The LDAP attribute that corresponds to the user's id."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:228
+msgid "Default: uidNumber"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:234
+msgid "ldap_user_gid_number (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:237
+msgid "The LDAP attribute that corresponds to the user's primary group id."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:241 sssd-ldap.5.xml:637
+msgid "Default: gidNumber"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:247
+msgid "ldap_user_gecos (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:250
+msgid "The LDAP attribute that corresponds to the user's gecos field."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:254
+msgid "Default: gecos"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:260
+msgid "ldap_user_home_directory (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:263
+msgid "The LDAP attribute that contains the name of the user's home directory."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:267
+msgid "Default: homeDirectory"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:273
+msgid "ldap_user_shell (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:276
+msgid "The LDAP attribute that contains the path to the user's default shell."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:280
+msgid "Default: loginShell"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:286
+msgid "ldap_user_uuid (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:289
+msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:293 sssd-ldap.5.xml:663 sssd-ldap.5.xml:756
+msgid "Default: nsUniqueId"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:299
+msgid "ldap_user_modify_timestamp (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:302 sssd-ldap.5.xml:672 sssd-ldap.5.xml:765
+msgid ""
+"The LDAP attribute that contains timestamp of the last modification of the "
+"parent object."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:306 sssd-ldap.5.xml:676 sssd-ldap.5.xml:769
+msgid "Default: modifyTimestamp"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:312
+msgid "ldap_user_shadow_last_change (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:315
+msgid ""
+"When using ldap_pwd_policy=shadow, this parameter contains the name of an "
+"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of "
+"the last password change)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:325
+msgid "Default: shadowLastChange"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:331
+msgid "ldap_user_shadow_min (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:334
+msgid ""
+"When using ldap_pwd_policy=shadow, this parameter contains the name of an "
+"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum "
+"password age)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:343
+msgid "Default: shadowMin"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:349
+msgid "ldap_user_shadow_max (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:352
+msgid ""
+"When using ldap_pwd_policy=shadow, this parameter contains the name of an "
+"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum "
+"password age)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:361
+msgid "Default: shadowMax"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:367
+msgid "ldap_user_shadow_warning (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:370
+msgid ""
+"When using ldap_pwd_policy=shadow, this parameter contains the name of an "
+"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart "
+"(password warning period)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:380
+msgid "Default: shadowWarning"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:386
+msgid "ldap_user_shadow_inactive (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:389
+msgid ""
+"When using ldap_pwd_policy=shadow, this parameter contains the name of an "
+"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart "
+"(password inactivity period)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:399
+msgid "Default: shadowInactive"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:405
+msgid "ldap_user_shadow_expire (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:408
+msgid ""
+"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this "
+"parameter contains the name of an LDAP attribute corresponding to its "
+"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> counterpart (account expiration date)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:418
+msgid "Default: shadowExpire"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:424
+msgid "ldap_user_krb_last_pwd_change (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:427
+msgid ""
+"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of "
+"an LDAP attribute storing the date and time of last password change in "
+"kerberos."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:433
+msgid "Default: krbLastPwdChange"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:439
+msgid "ldap_user_krb_password_expiration (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:442
+msgid ""
+"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of "
+"an LDAP attribute storing the date and time when current password expires."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:448
+msgid "Default: krbPasswordExpiration"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:454
+msgid "ldap_user_ad_account_expires (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:457
+msgid ""
+"When using ldap_account_expire_policy=ad, this parameter contains the name "
+"of an LDAP attribute storing the expiration time of the account."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:462
+msgid "Default: accountExpires"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:468
+msgid "ldap_user_ad_user_account_control (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:471
+msgid ""
+"When using ldap_account_expire_policy=ad, this parameter contains the name "
+"of an LDAP attribute storing the user account control bit field."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:476
+msgid "Default: userAccountControl"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:482
+msgid "ldap_ns_account_lock (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:485
+msgid ""
+"When using ldap_account_expire_policy=rhds or equivalent, this parameter "
+"determines if access is allowed or not."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:490
+msgid "Default: nsAccountLock"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:496
+msgid "ldap_user_principal (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:499
+msgid ""
+"The LDAP attribute that contains the user's Kerberos User Principal Name "
+"(UPN)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:503
+msgid "Default: krbPrincipalName"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:509
+msgid "ldap_force_upper_case_realm (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:512
+msgid ""
+"Some directory servers, for example Active Directory, might deliver the "
+"realm part of the UPN in lower case, which might cause the authentication to "
+"fail. Set this option to a non-zero value if you want to use an upper-case "
+"realm."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:519 sssd-ldap.5.xml:990 sssd-ipa.5.xml:115 sssd.8.xml:64
+#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:269
+msgid "Default: false"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:525
+msgid "ldap_enumeration_refresh_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:528
+msgid ""
+"The LDAP attribute that contains how many seconds SSSD has to wait before "
+"refreshing its cache of enumerated records."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:533
+msgid "Default: 300"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:539
+msgid "ldap_purge_cache_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:542
+msgid ""
+"Determine how often to check the cache for inactive entries (such as groups "
+"with no members and users who have never logged in) and remove them to save "
+"space."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:548
+msgid "Setting this option to zero will disable the cache cleanup operation."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:552
+msgid "Default: 10800 (12 hours)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:558
+msgid "ldap_user_fullname (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:561
+msgid "The LDAP attribute that corresponds to the user's full name."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:565 sssd-ldap.5.xml:624 sssd-ldap.5.xml:717
+msgid "Default: cn"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:571
+msgid "ldap_user_member_of (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:574
+msgid "The LDAP attribute that lists the user's group memberships."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:578
+msgid "Default: memberOf"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:584
+msgid "ldap_user_authorized_service (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:587
+msgid ""
+"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will "
+"use the presence of the authorizedService attribute in the user's LDAP entry "
+"to determine access privilege."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:594
+msgid ""
+"An explicit deny (!svc) is resolved first. Second, SSSD searches for "
+"explicit allow (svc) and finally for allow_all (*)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:599
+msgid "Default: authorizedService"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:605
+msgid "ldap_group_object_class (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:608
+msgid "The object class of a group entry in LDAP."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:611
+msgid "Default: posixGroup"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:617
+msgid "ldap_group_name (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:620
+msgid "The LDAP attribute that corresponds to the group name."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:630
+msgid "ldap_group_gid_number (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:633
+msgid "The LDAP attribute that corresponds to the group's id."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:643
+msgid "ldap_group_member (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:646
+msgid "The LDAP attribute that contains the names of the group's members."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:650
+msgid "Default: memberuid (rfc2307) / member (rfc2307bis)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:656
+msgid "ldap_group_uuid (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:659
+msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:669
+msgid "ldap_group_modify_timestamp (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:682
+msgid "ldap_group_nesting_level (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:685
+msgid ""
+"If ldap_schema is set to a schema format that supports nested groups (e.g. "
+"RFC2307bis), then this option controls how many levels of nesting SSSD will "
+"follow. This option has no effect on the RFC2307 schema."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:692
+msgid "Default: 2"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:698
+msgid "ldap_netgroup_object_class (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:701
+msgid "The object class of a netgroup entry in LDAP."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:704
+msgid "Default: nisNetgroup"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:710
+msgid "ldap_netgroup_name (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:713
+msgid "The LDAP attribute that corresponds to the netgroup name."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:723
+msgid "ldap_netgroup_member (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:726
+msgid "The LDAP attribute that contains the names of the netgroup's members."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:730
+msgid "Default: memberNisNetgroup"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:736
+msgid "ldap_netgroup_triple (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:739
+msgid ""
+"The LDAP attribute that contains the (host, user, domain) netgroup triples."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:743
+msgid "Default: nisNetgroupTriple"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:749
+msgid "ldap_netgroup_uuid (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:752
+msgid ""
+"The LDAP attribute that contains the UUID/GUID of an LDAP netgroup object."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:762
+msgid "ldap_netgroup_modify_timestamp (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:775
+msgid "ldap_search_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:778
+msgid ""
+"Specifies the timeout (in seconds) that ldap searches are allowed to run "
+"before they are cancelled and cached results are returned (and offline mode "
+"is entered)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:784
+msgid ""
+"Note: this option is subject to change in future versions of the SSSD. It "
+"will likely be replaced at some point by a series of timeouts for specific "
+"lookup types."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:790 sssd-ldap.5.xml:832 sssd-ldap.5.xml:847
+msgid "Default: 6"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:796
+msgid "ldap_enumeration_search_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:799
+msgid ""
+"Specifies the timeout (in seconds) that ldap searches for user and group "
+"enumerations are allowed to run before they are cancelled and cached results "
+"are returned (and offline mode is entered)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:806
+msgid "Default: 60"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:812
+msgid "ldap_network_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:815
+msgid ""
+"Specifies the timeout (in seconds) after which the <citerefentry> "
+"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/"
+"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</"
+"manvolnum> </citerefentry> following a <citerefentry> "
+"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </"
+"citerefentry> returns in case of no activity."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:838
+msgid "ldap_opt_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:841
+msgid ""
+"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs "
+"will abort if no response is received. Also controls the timeout when "
+"communicating with the KDC in case of SASL bind."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:853
+msgid "ldap_page_size (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:856
+msgid ""
+"Specify the number of records to retrieve from LDAP in a single request. "
+"Some LDAP servers enforce a maximum limit per-request."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:861
+msgid "Default: 1000"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:867
+msgid "ldap_tls_reqcert (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:870
+msgid ""
+"Specifies what checks to perform on server certificates in a TLS session, if "
+"any. It can be specified as one of the following values:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:876
+msgid ""
+"<emphasis>never</emphasis> = The client will not request or check any server "
+"certificate."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:880
+msgid ""
+"<emphasis>allow</emphasis> = The server certificate is requested. If no "
+"certificate is provided, the session proceeds normally. If a bad certificate "
+"is provided, it will be ignored and the session proceeds normally."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:887
+msgid ""
+"<emphasis>try</emphasis> = The server certificate is requested. If no "
+"certificate is provided, the session proceeds normally. If a bad certificate "
+"is provided, the session is immediately terminated."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:893
+msgid ""
+"<emphasis>demand</emphasis> = The server certificate is requested. If no "
+"certificate is provided, or a bad certificate is provided, the session is "
+"immediately terminated."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:899
+msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:903
+msgid "Default: hard"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:909
+msgid "ldap_tls_cacert (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:912
+msgid ""
+"Specifies the file that contains certificates for all of the Certificate "
+"Authorities that <command>sssd</command> will recognize."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:917 sssd-ldap.5.xml:935 sssd-ldap.5.xml:976
+msgid ""
+"Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap."
+"conf</filename>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:924
+msgid "ldap_tls_cacertdir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:927
+msgid ""
+"Specifies the path of a directory that contains Certificate Authority "
+"certificates in separate individual files. Typically the file names need to "
+"be the hash of the certificate followed by '.0'.  If available, "
+"<command>cacertdir_rehash</command> can be used to create the correct names."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:942
+msgid "ldap_tls_cert (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:945
+msgid "Specifies the file that contains the certificate for the client's key."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:359
+msgid "Default: not set"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:955
+msgid "ldap_tls_key (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:958
+msgid "Specifies the file that contains the client's key."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:967
+msgid "ldap_tls_cipher_suite (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:970
+msgid ""
+"Specifies acceptable cipher suites.  Typically this is a colon sperated "
+"list.  See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
+"<manvolnum>5</manvolnum></citerefentry> for format."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:983
+msgid "ldap_id_use_start_tls (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:986
+msgid ""
+"Specifies that the id_provider connection must also use <systemitem class="
+"\"protocol\">tls</systemitem> to protect the channel."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:996
+msgid "ldap_sasl_mech (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:999
+msgid ""
+"Specify the SASL mechanism to use.  Currently only GSSAPI is tested and "
+"supported."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1003 sssd-ldap.5.xml:1145
+msgid "Default: none"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1009
+msgid "ldap_sasl_authid (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1012
+msgid ""
+"Specify the SASL authorization id to use.  When GSSAPI is used, this "
+"represents the Kerberos principal used for authentication to the directory."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1017
+msgid "Default: host/machine.fqdn@REALM"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1023
+msgid "ldap_sasl_canonicalize (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1026
+msgid ""
+"If set to true, the LDAP library would perform a reverse lookup to "
+"canonicalize the host name during a SASL bind."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1031
+msgid "Default: false;"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1037
+msgid "ldap_krb5_keytab (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1040
+msgid "Specify the keytab to use when using SASL/GSSAPI."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1043
+msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1049
+msgid "ldap_krb5_init_creds (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1052
+msgid ""
+"Specifies that the id_provider should init Kerberos credentials (TGT).  This "
+"action is performed only if SASL is used and the mechanism selected is "
+"GSSAPI."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1064
+msgid "ldap_krb5_ticket_lifetime (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1067
+msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1071
+msgid "Default: 86400 (24 hours)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1077 sssd-krb5.5.xml:74
+msgid "krb5_server (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1080 sssd-krb5.5.xml:77
+msgid ""
+"Specifies the comma-separated list of IP addresses or hostnames of the "
+"Kerberos servers to which SSSD should connect in the order of preference. "
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
+"colon) may be appended to the addresses or hostnames.  If empty, service "
+"discovery is enabled - for more information, refer to the <quote>SERVICE "
+"DISCOVERY</quote> section."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1092 sssd-krb5.5.xml:89
+msgid ""
+"When using service discovery for KDC or kpasswd servers, SSSD first searches "
+"for DNS entries that specify _udp as the protocol and falls back to _tcp if "
+"none are found."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1097 sssd-krb5.5.xml:94
+msgid ""
+"This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. "
+"While the legacy name is recognized for the time being, users are advised to "
+"migrate their config files to use <quote>krb5_server</quote> instead."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1106 sssd-ipa.5.xml:165 sssd-krb5.5.xml:103
+msgid "krb5_realm (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1109
+msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1112
+msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1118
+msgid "ldap_pwd_policy (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1121
+msgid ""
+"Select the policy to evaluate the password expiration on the client side. "
+"The following values are allowed:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1126
+msgid ""
+"<emphasis>none</emphasis> - No evaluation on the client side. This option "
+"cannot disable server-side password policies."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1131
+msgid ""
+"<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</"
+"refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to "
+"evaluate if the password has expired.  Note that the current version of sssd "
+"cannot update this attribute during a password change."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1139
+msgid ""
+"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
+"to determine if the password has expired. Use chpass_provider=krb5 to update "
+"these attributes when the password is changed."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1151
+msgid "ldap_referrals (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1154
+msgid "Specifies whether automatic referral chasing should be enabled."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1158
+msgid ""
+"Please note that sssd only supports referral chasing when it is compiled "
+"with OpenLDAP version 2.4.13 or higher."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1169
+msgid "ldap_dns_service_name (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1172
+msgid "Specifies the service name to use when service discovery is enabled."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1176
+msgid "Default: ldap"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1182
+msgid "ldap_chpass_dns_service_name (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1185
+msgid ""
+"Specifies the service name to use to find an LDAP server which allows "
+"password changes when service discovery is enabled."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1190
+msgid "Default: not set, i.e. service discovery is disabled"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1196
+msgid "ldap_access_filter (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1199
+msgid ""
+"If using access_provider = ldap, this option is mandatory. It specifies an "
+"LDAP search filter criteria that must be met for the user to be granted "
+"access on this host. If access_provider = ldap and this option is not set, "
+"it will result in all users being denied access. Use access_provider = allow "
+"to change this default behavior."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1209
+msgid "Example:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
+#: sssd-ldap.5.xml:1212
+#, no-wrap
+msgid ""
+"access_provider = ldap\n"
+"ldap_access_filter = memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1216
+msgid ""
+"This example means that access to this host is restricted to members of the "
+"\"allowedusers\" group in ldap."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1221
+msgid ""
+"Offline caching for this feature is limited to determining whether the "
+"user's last online login was granted access permission. If they were granted "
+"access during their last login, they will continue to be granted access "
+"while offline and vice-versa."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1229 sssd-ldap.5.xml:1270
+msgid "Default: Empty"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1235
+msgid "ldap_account_expire_policy (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1238
+msgid ""
+"With this option a client side evaluation of access control attributes can "
+"be enabled."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1242
+msgid ""
+"Please note that it is always recommended to use server side access control, "
+"i.e. the LDAP server should deny the bind request with a suitable error code "
+"even if the password is correct."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1249
+msgid "The following values are allowed:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1252
+msgid ""
+"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
+"determine if the account is expired."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1257
+msgid ""
+"<emphasis>ad</emphasis>: use the value of the 32bit field "
+"ldap_user_ad_user_account_control and allow access if the second bit is not "
+"set. If the attribute is missing access is granted. Also the expiration time "
+"of the account is checked."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1264
+msgid ""
+"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</"
+"emphasis>: use the value of ldap_ns_account_lock to check if access is "
+"allowed or not."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1276
+msgid "ldap_access_order (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1279
+msgid "Comma separated list of access control options.  Allowed values are:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1283
+msgid "<emphasis>filter</emphasis>: use ldap_access_filter"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1286
+msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1290
+msgid ""
+"<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
+"to determine access"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1295
+msgid "Default: filter"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1298
+msgid ""
+"Please note that it is a configuration error if a value is used more than "
+"once."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1305
+msgid "ldap_deref (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1308
+msgid ""
+"Specifies how alias dereferencing is done when performing a search. The "
+"following options are allowed:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1313
+msgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1317
+msgid ""
+"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
+"the base object, but not in locating the base object of the search."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1322
+msgid ""
+"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
+"the base object of the search."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1327
+msgid ""
+"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
+"in locating the base object of the search."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1332
+msgid ""
+"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
+"client libraries)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ldap.5.xml:51
+msgid ""
+"All of the common configuration options that apply to SSSD domains also "
+"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section "
+"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> manual page for full details.  <placeholder type="
+"\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-ldap.5.xml:1344
+msgid "ADVANCED OPTIONS"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1351
+msgid "ldap_netgroup_search_base (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1354
+msgid ""
+"An optional base DN to restrict netgroup searches to a specific subtree."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1358 sssd-ldap.5.xml:1372 sssd-ldap.5.xml:1386
+msgid "Default: the value of <emphasis>ldap_search_base</emphasis>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1365
+msgid "ldap_user_search_base (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1368
+msgid "An optional base DN to restrict user searches to a specific subtree."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1379
+msgid "ldap_group_search_base (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1382
+msgid "An optional base DN to restrict group searches to a specific subtree."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ldap.5.xml:1346
+msgid ""
+"These options are supported by LDAP domains, but they should be used with "
+"caution. Please include them in your configuration only if you know what you "
+"are doing.  <placeholder type=\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ldap.5.xml:1402
+msgid ""
+"The following example assumes that SSSD is correctly configured and LDAP is "
+"set to one of the domains in the <replaceable>[domains]</replaceable> "
+"section."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-ldap.5.xml:1408
+#, no-wrap
+msgid ""
+"    [domain/LDAP]\n"
+"    id_provider = ldap\n"
+"    auth_provider = ldap\n"
+"    ldap_uri = ldap://ldap.mydomain.org\n"
+"    ldap_search_base = dc=mydomain,dc=org\n"
+"    ldap_tls_reqcert = demand\n"
+"    cache_credentials = true\n"
+"    enumerate = true\n"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ldap.5.xml:1407 sssd-simple.5.xml:134 sssd-ipa.5.xml:238
+#: sssd-krb5.5.xml:417
+msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-ldap.5.xml:1421 sssd_krb5_locator_plugin.8.xml:61
+msgid "NOTES"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ldap.5.xml:1423
+msgid ""
+"The descriptions of some of the configuration options in this manual page "
+"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 "
+"distribution."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ldap.5.xml:1434
+msgid ""
+"<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
+"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </citerefentry>"
+msgstr ""
+
+#. type: Content of: <refentryinfo>
+#: pam_sss.8.xml:8 include/upstream.xml:2
+msgid ""
+"<productname>SSSD</productname> <orgname>The SSSD upstream - http://"
+"fedorahosted.org/sssd</orgname>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: pam_sss.8.xml:13 pam_sss.8.xml:18
+msgid "pam_sss"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: pam_sss.8.xml:19
+msgid "PAM module for SSSD"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: pam_sss.8.xml:24
+msgid ""
+"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
+"arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: pam_sss.8.xml:45
+msgid ""
+"<command>pam_sss.so</command> is the PAM interface to the System Security "
+"Services daemon (SSSD). Errors and results are logged through <command>syslog"
+"(3)</command> with the LOG_AUTHPRIV facility."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:55
+msgid "<option>quiet</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:58
+msgid "Suppress log messages for unknown users."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:63
+msgid "<option>forward_pass</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:66
+msgid ""
+"If <option>forward_pass</option> is set the entered password is put on the "
+"stack for other PAM modules to use."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:73
+msgid "<option>use_first_pass</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:76
+msgid ""
+"The argument use_first_pass forces the module to use a previous stacked "
+"modules password and will never prompt the user - if no password is "
+"available or the password is not appropriate, the user will be denied access."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:84
+msgid "<option>use_authtok</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:87
+msgid ""
+"When password changing enforce the module to set the new password to the one "
+"provided by a previously stacked password module."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:94
+msgid "<option>retry=N</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:97
+msgid ""
+"If specified the user is asked another N times for a password if "
+"authentication fails. Default is 0."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:99
+msgid ""
+"Please note that this option might not work as expected if the application "
+"calling PAM handles the user dialog on its own. A typical example is "
+"<command>sshd</command> with <option>PasswordAuthentication</option>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: pam_sss.8.xml:110
+msgid "MODULE TYPES PROVIDED"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: pam_sss.8.xml:111
+msgid ""
+"All module types (<option>account</option>, <option>auth</option>, "
+"<option>password</option> and <option>session</option>) are provided."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: pam_sss.8.xml:117
+msgid "FILES"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: pam_sss.8.xml:118
+msgid ""
+"If a password reset by root fails, because the corresponding SSSD provider "
+"does not support password resets, an individual message can be displayed. "
+"This message can e.g. contain instructions about how to reset a password."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: pam_sss.8.xml:123
+msgid ""
+"The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
+"filename> where LOC stands for a locale string returned by <citerefentry> "
+"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </"
+"citerefentry>. If there is no matching file the content of "
+"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be "
+"the owner of the files and only root may have read and write permissions "
+"while all other users must have only read permisssions."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: pam_sss.8.xml:133
+msgid ""
+"These files are searched in the directory <filename>/etc/sssd/customize/"
+"DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
+"displayed."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: pam_sss.8.xml:141
+msgid ""
+"<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>8</"
+"manvolnum> </citerefentry>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15
+msgid "sssd_krb5_locator_plugin"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd_krb5_locator_plugin.8.xml:22
+msgid ""
+"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is "
+"used by the Kerberos provider of <citerefentry> <refentrytitle>sssd</"
+"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> to tell the Kerberos "
+"libraries what Realm and which KDC to use.  Typically this is done in "
+"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> which is always read by the Kerberos libraries. "
+"To simplyfy the configuration the Realm and the KDC can be defined in "
+"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> as described in <citerefentry> "
+"<refentrytitle>sssd-krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </"
+"citerefentry>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd_krb5_locator_plugin.8.xml:48
+msgid ""
+"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
+"</citerefentry> puts the Realm and the name or IP address of the KDC into "
+"the environment variables SSSD_KRB5_REALM and SSSD_KRB5_KDC respectively.  "
+"When <command>sssd_krb5_locator_plugin</command> is called by the kerberos "
+"libraries it reads and evaluates these variable and returns them to the "
+"libraries."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd_krb5_locator_plugin.8.xml:63
+msgid ""
+"Not all Kerberos implementations support the use of plugins. If "
+"<command>sssd_krb5_locator_plugin</command> is not available on your system "
+"you have to edit /etc/krb5.conf to reflect your Kerberos setup."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd_krb5_locator_plugin.8.xml:69
+msgid ""
+"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value "
+"debug messages will be sent to stderr."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd_krb5_locator_plugin.8.xml:77
+msgid ""
+"<citerefentry> <refentrytitle>sssd-krb5</refentrytitle><manvolnum>5</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd.conf</"
+"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </citerefentry>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd-simple.5.xml:10 sssd-simple.5.xml:16
+msgid "sssd-simple"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sssd-simple.5.xml:17
+msgid "the configuration file for SSSD's 'simple' access-control provider"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-simple.5.xml:24
+msgid ""
+"This manual page describes the configuration of the simple access-control "
+"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> "
+"<manvolnum>8</manvolnum> </citerefentry>.  For a detailed syntax reference, "
+"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> "
+"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
+"citerefentry> manual page."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-simple.5.xml:38
+msgid ""
+"The simple access provider grants or denies access based on an access or "
+"deny list of user or group names. The following rules apply:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
+#: sssd-simple.5.xml:43
+msgid "If all lists are empty, access is granted"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
+#: sssd-simple.5.xml:47
+msgid ""
+"If any list is provided, the order of evaluation is allow,deny. This means "
+"that any matching deny rule will supersede any matched allow rule."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
+#: sssd-simple.5.xml:54
+msgid ""
+"If either or both \"allow\" lists are provided, all users are denied unless "
+"they appear in the list."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
+#: sssd-simple.5.xml:60
+msgid ""
+"If only \"deny\" lists are provided, all users are granted access unless "
+"they appear in the list."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-simple.5.xml:78
+msgid "simple_allow_users (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-simple.5.xml:81
+msgid "Comma separated list of users who are allowed to log in."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-simple.5.xml:88
+msgid "simple_deny_users (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-simple.5.xml:91
+msgid "Comma separated list of users who are explicitly denied access."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-simple.5.xml:97
+msgid "simple_allow_groups (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-simple.5.xml:100
+msgid ""
+"Comma separated list of groups that are allowed to log in. This applies only "
+"to groups within this SSSD domain. Local groups are not evaluated."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-simple.5.xml:108
+msgid "simple_deny_groups (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-simple.5.xml:111
+msgid ""
+"Comma separated list of groups that are explicitly denied access. This "
+"applies only to groups within this SSSD domain. Local groups are not "
+"evaluated."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-simple.5.xml:70 sssd-ipa.5.xml:62
+msgid ""
+"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> "
+"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
+"citerefentry> manual page for details on the configuration of an SSSD "
+"domain.  <placeholder type=\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-simple.5.xml:120
+msgid ""
+"Please note that it is an configuration error if both, simple_allow_users "
+"and simple_deny_users, are defined."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-simple.5.xml:128
+msgid ""
+"The following example assumes that SSSD is correctly configured and example."
+"com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
+"This examples shows only the simple access provider-specific options."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-simple.5.xml:135
+#, no-wrap
+msgid ""
+"    [domain/example.com]\n"
+"    access_provider = simple\n"
+"    simple_allow_users = user1, user2\n"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-simple.5.xml:145
+msgid ""
+"<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16
+msgid "sssd-ipa"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ipa.5.xml:23
+msgid ""
+"This manual page describes the configuration of the IPA provider for "
+"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
+"</citerefentry>.  For a detailed syntax reference, refer to the <quote>FILE "
+"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ipa.5.xml:36
+msgid ""
+"The IPA provider is a back end used to connect to an IPA server.  (Refer to "
+"the freeipa.org web site for information about IPA servers.)  This provider "
+"requires that the machine be joined to the IPA domain; configuration is "
+"almost entirely self-discovered and obtained directly from the server."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ipa.5.xml:43
+msgid ""
+"The IPA provider accepts the same options used by the <citerefentry> "
+"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+"citerefentry> identity provider and the <citerefentry> <refentrytitle>sssd-"
+"krb5</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> authentication "
+"provider.  However, it is neither necessary nor recommended to set these "
+"options.  IPA provider can also be used as an access and chpass provider. As "
+"an access provider it uses HBAC (host-based access control) rules. Please "
+"refer to freeipa.org for more information about HBAC. No configuration of "
+"access provider is required on the client side."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:69
+msgid "ipa_domain (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:72
+msgid ""
+"Specifies the name of the IPA domain.  This is optional. If not provided, "
+"the configuration domain name is used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:80
+msgid "ipa_server (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:83
+msgid ""
+"The comma-separated list of IP addresses or hostnames of the IPA servers to "
+"which SSSD should connect in the order of preference. For more information "
+"on failover and server redundancy, see the <quote>FAILOVER</quote> section.  "
+"This is optional if autodiscovery is enabled.  For more information on "
+"service discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:96
+msgid "ipa_hostname (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:99
+msgid ""
+"Optional. May be set on machines where the hostname(5) does not reflect the "
+"fully qualified name used in the IPA domain to identify this host."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:107
+msgid "ipa_dyndns_update (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:110
+msgid ""
+"Optional. This option tells SSSD to automatically update the DNS server "
+"built into FreeIPA v2 with the IP address of this client."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:121
+msgid "ipa_dyndns_iface (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:124
+msgid ""
+"Optional. Applicable only when ipa_dyndns_update is true. Choose the "
+"interface whose IP address should be used for dynamic DNS updates."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:129
+msgid "Default: Use the IP address of the IPA LDAP connection"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:135
+msgid "ipa_hbac_search_base (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:138
+msgid "Optional. Use the given string as search base for HBAC related objects."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:142
+msgid "Default: Use base DN"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:148 sssd-krb5.5.xml:229
+msgid "krb5_validate (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:151 sssd-krb5.5.xml:232
+msgid ""
+"Verify with the help of krb5_keytab that the TGT obtained has not been "
+"spoofed."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:158
+msgid ""
+"Note that this default differs from the traditional Kerberos provider back "
+"end."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:168
+msgid ""
+"The name of the Kerberos realm. This is optional and defaults to the value "
+"of <quote>ipa_domain</quote>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:172
+msgid ""
+"The name of the Kerberos realm has a special meaning in IPA - it is "
+"converted into the base DN to use for performing LDAP operations."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:179
+msgid "ipa_hbac_refresh (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:182
+msgid ""
+"The amount of time between lookups of the HBAC rules against the IPA server. "
+"This will reduce the latency and load on the IPA server if there are many "
+"access-control requests made in a short period."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:189
+msgid "Default: 5 (seconds)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:194
+msgid "ipa_hbac_treat_deny_as (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:197
+msgid ""
+"This option specifies how to treat the deprecated DENY-type HBAC rules. As "
+"of FreeIPA v2.1, DENY rules are no longer supported on the server. All users "
+"of FreeIPA will need to migrate their rules to use only the ALLOW rules. The "
+"client will support two modes of operation during this transition period:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:206
+msgid ""
+"<emphasis>DENY_ALL</emphasis>: If any HBAC DENY rules are detected, all "
+"users will be denied access."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:211
+msgid ""
+"<emphasis>IGNORE</emphasis>: SSSD will ignore any DENY rules. Be very "
+"careful with this option, as it may result in opening unintended access."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:216
+msgid "Default: DENY_ALL"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ipa.5.xml:232
+msgid ""
+"The following example assumes that SSSD is correctly configured and example."
+"com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
+"This examples shows only the ipa provider-specific options."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-ipa.5.xml:239
+#, no-wrap
+msgid ""
+"    [domain/example.com]\n"
+"    id_provider = ipa\n"
+"    ipa_server = ipaserver.example.com\n"
+"    ipa_hostname = myhost.example.com\n"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ipa.5.xml:250
+msgid ""
+"<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
+"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sssd-krb5</refentrytitle><manvolnum>5</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sssd</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd.8.xml:10 sssd.8.xml:15
+msgid "sssd"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sssd.8.xml:16
+msgid "System Security Services Daemon"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: sssd.8.xml:21
+msgid ""
+"<command>sssd</command> <arg choice='opt'> <replaceable>options</"
+"replaceable> </arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.8.xml:31
+msgid ""
+"<command>SSSD</command> provides a set of daemons to manage access to remote "
+"directories and authentication mechanisms. It provides an NSS and PAM "
+"interface toward the system and a pluggable backend system to connect to "
+"multiple different account sources as well as D-Bus interface. It is also "
+"the basis to provide client auditing and policy services for projects like "
+"FreeIPA. It provides a more robust database to store local users as well as "
+"extended user data."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:46
+msgid ""
+"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</"
+"replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:51
+msgid ""
+"Debug level to run the daemon with. 0 is the default as well as the lowest "
+"allowed value, 10 is the most verbose mode. This setting overrides the "
+"settings from config file. This parameter implies <option>-i</option>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:70
+msgid "<option>-f</option>,<option>--debug-to-files</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:74
+msgid ""
+"Send the debug output to files instead of stderr. By default, the log files "
+"are stored in <filename>/var/log/sssd</filename> and there are separate log "
+"files for every SSSD service and domain."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:82
+msgid "<option>-D</option>,<option>--daemon</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:86
+msgid "Become a daemon after starting up."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:92
+msgid "<option>-i</option>,<option>--interactive</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:96
+msgid "Run in the foreground, don't become a daemon."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:102
+msgid "<option>-c</option>,<option>--config</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:106
+msgid ""
+"Specify a non-default config file. The default is <filename>/etc/sssd/sssd."
+"conf</filename>. For reference on the config file syntax and options, "
+"consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> manual page."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd.8.xml:122
+msgid "Signals"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:125
+msgid "SIGTERM/SIGINT"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:128
+msgid ""
+"Informs the SSSD to gracefully terminate all of its child processes and then "
+"shut down the monitor."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:134
+msgid "SIGHUP"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:137
+msgid ""
+"Tells the SSSD to stop writing to its current debug file descriptors and to "
+"close and reopen them. This is meant to facilitate log rolling with programs "
+"like logrotate."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:145
+msgid "SIGUSR1"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:148
+msgid ""
+"Tells the SSSD to simulate offline operation for one minute. This is mostly "
+"useful for testing purposes."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:154
+msgid "SIGUSR2"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:157
+msgid ""
+"Tells the SSSD to go online immediately. This is mostly useful for testing "
+"purposes."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.8.xml:168
+msgid ""
+"<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupadd</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_groupdel</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_groupmod</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_userdel</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15
+msgid "sss_obfuscate"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sss_obfuscate.8.xml:16
+msgid "obfuscate a clear text password"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: sss_obfuscate.8.xml:21
+msgid ""
+"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</"
+"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</"
+"replaceable></arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_obfuscate.8.xml:32
+msgid ""
+"<command>sss_obfuscate</command> converts a given password into human-"
+"unreadable format and places it into appropriate domain section of the SSSD "
+"config file."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_obfuscate.8.xml:37
+msgid ""
+"The cleartext password is read from standard input or entered "
+"interactively.  The obfuscated password is put into "
+"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the "
+"<quote>ldap_default_authtok_type</quote> parameter is set to "
+"<quote>obfuscated_password</quote>. Refer to <citerefentry> "
+"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+"citerefentry> for more details on these parameters."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_obfuscate.8.xml:49
+msgid ""
+"Please note that obfuscating the password provides <emphasis>no real "
+"security benefit</emphasis> as it is still possible for an attacker to "
+"reverse-engineer the password back. Using better authentication mechanisms "
+"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> "
+"advised."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_obfuscate.8.xml:63
+msgid "<option>-s</option>,<option>--stdin</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_obfuscate.8.xml:67
+msgid "The password to obfuscate will be read from standard input."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_obfuscate.8.xml:74
+msgid ""
+"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</"
+"replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_obfuscate.8.xml:79
+msgid ""
+"The SSSD domain to use the password in. The default name is <quote>default</"
+"quote>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_obfuscate.8.xml:86
+msgid ""
+"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_obfuscate.8.xml:91
+msgid "Read the config file specified by the positional parameter."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_obfuscate.8.xml:95
+msgid "Default: <filename>/etc/sssd/sssd.conf</filename>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_obfuscate.8.xml:105
+msgid ""
+"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sss_useradd.8.xml:10 sss_useradd.8.xml:15
+msgid "sss_useradd"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sss_useradd.8.xml:16
+msgid "create a new user"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: sss_useradd.8.xml:21
+msgid ""
+"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</"
+"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></"
+"arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_useradd.8.xml:32
+msgid ""
+"<command>sss_useradd</command> creates a new user account using the values "
+"specified on the command line plus the default values from the system."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_useradd.8.xml:43
+msgid ""
+"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_useradd.8.xml:48
+msgid ""
+"Set the UID of the user to the value of <replaceable>UID</replaceable>.  If "
+"not given, it is chosen automatically."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_useradd.8.xml:55 sss_usermod.8.xml:43
+msgid ""
+"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</"
+"replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_useradd.8.xml:60 sss_usermod.8.xml:48
+msgid ""
+"Any text string describing the user. Often used as the field for the user's "
+"full name."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_useradd.8.xml:67 sss_usermod.8.xml:55
+msgid ""
+"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</"
+"replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_useradd.8.xml:72
+msgid ""
+"The home directory of the user account.  The default is to append the "
+"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use "
+"that as the home directory.  The base that is prepended before "
+"<replaceable>LOGIN</replaceable> is tunable with <quote>user_defaults/"
+"baseDirectory</quote> setting in sssd.conf."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_useradd.8.xml:82 sss_usermod.8.xml:66
+msgid ""
+"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_useradd.8.xml:87
+msgid ""
+"The user's login shell. The default is currently <filename>/bin/bash</"
+"filename>.  The default can be changed with <quote>user_defaults/"
+"defaultShell</quote> setting in sssd.conf."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_useradd.8.xml:96
+msgid ""
+"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</"
+"replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_useradd.8.xml:101
+msgid "A list of existing groups this user is also a member of."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_useradd.8.xml:107
+msgid "<option>-m</option>,<option>--create-home</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_useradd.8.xml:111
+msgid ""
+"Create the user's home directory if it does not exist. The files and "
+"directories contained in the skeleton directory (which can be defined with "
+"the -k option or in the config file) will be copied to the home directory."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_useradd.8.xml:121
+msgid "<option>-M</option>,<option>--no-create-home</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_useradd.8.xml:125
+msgid ""
+"Do not create the user's home directory. Overrides configuration settings."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_useradd.8.xml:132
+msgid ""
+"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</"
+"replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_useradd.8.xml:137
+msgid ""
+"The skeleton directory, which contains files and directories to be copied in "
+"the user's home directory, when the home directory is created by "
+"<command>sss_useradd</command>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_useradd.8.xml:143
+msgid ""
+"This option is only valid if the <option>-m</option> (or <option>--create-"
+"home</option>) option is specified, or creation of home directories is set "
+"to TRUE in the configuration."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_useradd.8.xml:152 sss_usermod.8.xml:124
+msgid ""
+"<option>-Z</option>,<option>--selinux-user</option> "
+"<replaceable>SELINUX_USER</replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_useradd.8.xml:157
+msgid ""
+"The SELinux user for the user's login. If not specified, the system default "
+"will be used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_useradd.8.xml:169
+msgid ""
+"<citerefentry> <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupdel</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_groupmod</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_usermod</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16
+msgid "sssd-krb5"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-krb5.5.xml:23
+msgid ""
+"This manual page describes the configuration of the Kerberos 5 "
+"authentication backend for <citerefentry> <refentrytitle>sssd</"
+"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>.  For a detailed "
+"syntax reference, please refer to the <quote>FILE FORMAT</quote> section of "
+"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> manual page"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-krb5.5.xml:36
+msgid ""
+"The Kerberos 5 authentication backend contains auth and chpass providers. It "
+"must be paired with identity provider in order to function properly (for "
+"example, id_provider = ldap). Some information required by the Kerberos 5 "
+"authentication backend must be provided by the identity provider, such as "
+"the user's Kerberos Principal Name (UPN). The configuration of the identity "
+"provider should have an entry to specify the UPN. Please refer to the man "
+"page for the applicable identity provider for details on how to configure "
+"this."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-krb5.5.xml:47
+msgid ""
+"This backend also provides access control based on the .k5login file in the "
+"home directory of the user. See <citerefentry> <refentrytitle>.k5login</"
+"refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. "
+"Please note that an empty .k5login file will deny all access to this user. "
+"To activate this feature use 'access_provider = krb5' in your sssd "
+"configuration."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-krb5.5.xml:55
+msgid ""
+"In the case where the UPN is not available in the identity backend "
+"<command>sssd</command> will construct a UPN using the format "
+"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:106
+msgid ""
+"The name of the Kerberos realm. This option is required and must be "
+"specified."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:113
+msgid "krb5_kpasswd (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:116
+msgid ""
+"If the change password service is not running on the KDC alternative servers "
+"can be defined here. An optional port number (preceded by a colon) may be "
+"appended to the addresses or hostnames."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:122
+msgid ""
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section.  Please note that even if there are no more "
+"kpasswd servers to try the back end is not switch to offline if "
+"authentication against the KDC is still possible."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:129
+msgid "Default: Use the KDC"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:135
+msgid "krb5_ccachedir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:138
+msgid ""
+"Directory to store credential caches. All the substitution sequences of "
+"krb5_ccname_template can be used here, too, except %d and %P. If the "
+"directory does not exist it will be created. If %u, %U, %p or %h are used a "
+"private directory belonging to the user is created. Otherwise a public "
+"directory with restricted deletion flag (aka sticky bit, see <citerefentry> "
+"<refentrytitle>chmod</refentrytitle> <manvolnum>1</manvolnum> </"
+"citerefentry> for details) is created."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:151
+msgid "Default: /tmp"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:157
+msgid "krb5_ccname_template (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:171
+msgid "login UID"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:174
+msgid "%p"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:175
+msgid "principal name"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:179
+msgid "%r"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:180
+msgid "realm name"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:183
+msgid "%h"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:184
+msgid "home directory"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:189
+msgid "value of krb5ccache_dir"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:194
+msgid "%P"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:195
+msgid "the process ID of the sssd client"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:160
+msgid ""
+"Location of the user's credential cache. Currently only file based "
+"credential caches are supported. In the template the following sequences are "
+"substituted: <placeholder type=\"variablelist\" id=\"0\"/> If the template "
+"ends with 'XXXXXX' mkstemp(3) is used to create a unique filename in a safe "
+"way."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:209
+msgid "Default: FILE:%d/krb5cc_%U_XXXXXX"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:215
+msgid "krb5_auth_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:218
+msgid ""
+"Timeout in seconds after an online authentication or change password request "
+"is aborted. If possible the authentication request is continued offline."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:241
+msgid "krb5_keytab (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:244
+msgid ""
+"The location of the keytab to use when validating credentials obtained from "
+"KDCs."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:248
+msgid "Default: /etc/krb5.keytab"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:254
+msgid "krb5_store_password_if_offline (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:257
+msgid ""
+"Store the password of the user if the provider is offline and use it to "
+"request a TGT when the provider gets online again."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:262
+msgid ""
+"Please note that this feature currently only available on a Linux platform. "
+"Passwords stored in this way are kept in plaintext in the kernel keyring and "
+"are potentially accessible by the root user (with difficulty)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:275
+msgid "krb5_renewable_lifetime (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:278
+msgid ""
+"Request a renewable ticket with a total lifetime given by an integer "
+"immediately followed by one of the following delimiters:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
+msgid "<emphasis>s</emphasis> seconds"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
+msgid "<emphasis>m</emphasis> minutes"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
+msgid "<emphasis>h</emphasis> hours"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
+msgid "<emphasis>d</emphasis> days."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:295 sssd-krb5.5.xml:331
+msgid "If there is no delimiter <emphasis>s</emphasis> is assumed."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:299
+msgid ""
+"Please note that it is not possible to mix units.  If you want to set the "
+"renewable lifetime to one and a half hours please use '90m' instead of "
+"'1h30m'."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:305
+msgid "Default: not set, i.e. the TGT is not renewable"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:311
+msgid "krb5_lifetime (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:314
+msgid ""
+"Request ticket with a with a lifetime given by an integer immediately "
+"followed by one of the following delimiters:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:335
+msgid ""
+"Please note that it is not possible to mix units.  If you want to set the "
+"lifetime to one and a half hours please use '90m' instead of '1h30m'."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:340
+msgid ""
+"Default: not set, i.e. the default ticket lifetime configured on the KDC."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:347
+msgid "krb5_renew_interval (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:350
+msgid ""
+"The time in seconds between two checks if the TGT should be renewed. TGTs "
+"are renewed if about half of their lifetime is exceeded."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:355
+msgid "If this option is not set or 0 the automatic renewal is disabled."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:365
+msgid "krb5_use_fast (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:368
+msgid ""
+"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
+"authentication. The following options are supported:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:373
+msgid ""
+"<emphasis>never</emphasis> use FAST, this is equivalent to not set this "
+"option at all."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:377
+msgid ""
+"<emphasis>try</emphasis> to use FAST, if the server does not support fast "
+"continue without."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:381
+msgid ""
+"<emphasis>demand</emphasis> to use FAST, fail if the server does not require "
+"fast."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:385
+msgid "Default: not set, i.e. FAST is not used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:388
+msgid "Please note that a keytab is required to use fast."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:391
+msgid ""
+"Please note also that sssd supports fast only with MIT Kerberos version 1.8 "
+"and above. If sssd used used with an older version using this option is a "
+"configuration error."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-krb5.5.xml:65
+msgid ""
+"If the auth-module krb5 is used in a SSSD domain, the following options must "
+"be used. See the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> manual page, section <quote>DOMAIN "
+"SECTIONS</quote> for details on the configuration of a SSSD domain.  "
+"<placeholder type=\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-krb5.5.xml:410
+msgid ""
+"The following example assumes that SSSD is correctly configured and FOO is "
+"one of the domains in the <replaceable>[sssd]</replaceable> section. This "
+"example shows only configuration of Kerberos authentication, it does not "
+"include any identity provider."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-krb5.5.xml:418
+#, no-wrap
+msgid ""
+"    [domain/FOO]\n"
+"    auth_provider = krb5\n"
+"    krb5_server = 192.168.1.1\n"
+"    krb5_realm = EXAMPLE.COM\n"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-krb5.5.xml:429
+msgid ""
+"<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
+"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </citerefentry>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15
+msgid "sss_groupadd"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sss_groupadd.8.xml:16
+msgid "create a new group"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: sss_groupadd.8.xml:21
+msgid ""
+"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</"
+"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></"
+"arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_groupadd.8.xml:32
+msgid ""
+"<command>sss_groupadd</command> creates a new group. These groups are "
+"compatible with POSIX groups, with the additional feature that they can "
+"contain other groups as members."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_groupadd.8.xml:43
+msgid ""
+"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_groupadd.8.xml:48
+msgid ""
+"Set the GID of the group to the value of <replaceable>GID</replaceable>.  If "
+"not given, it is chosen automatically."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_groupadd.8.xml:60
+msgid ""
+"<citerefentry> <refentrytitle>sss_groupdel</refentrytitle><manvolnum>8</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupmod</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_useradd</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_usermod</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sss_userdel.8.xml:10 sss_userdel.8.xml:15
+msgid "sss_userdel"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sss_userdel.8.xml:16
+msgid "delete a user account"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: sss_userdel.8.xml:21
+msgid ""
+"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</"
+"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></"
+"arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_userdel.8.xml:32
+msgid ""
+"<command>sss_userdel</command> deletes a user identified by login name "
+"<replaceable>LOGIN</replaceable> from the system."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_userdel.8.xml:44
+msgid "<option>-r</option>,<option>--remove</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_userdel.8.xml:48
+msgid ""
+"Files in the user's home directory will be removed along with the home "
+"directory itself and the user's mail spool. Overrides the configuration."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_userdel.8.xml:56
+msgid "<option>-R</option>,<option>--no-remove</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_userdel.8.xml:60
+msgid ""
+"Files in the user's home directory will NOT be removed along with the home "
+"directory itself and the user's mail spool. Overrides the configuration."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_userdel.8.xml:68
+msgid "<option>-f</option>,<option>--force</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_userdel.8.xml:72
+msgid ""
+"This option forces <command>sss_userdel</command> to remove the user's home "
+"directory and mail spool, even if they are not owned by the specified user."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_userdel.8.xml:80
+msgid "<option>-k</option>,<option>--kick</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_userdel.8.xml:84
+msgid "Before actually deleting the user, terminate all his processes."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_userdel.8.xml:95
+msgid ""
+"<citerefentry> <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupdel</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_groupmod</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_groupshow</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_usermod</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15
+msgid "sss_groupdel"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sss_groupdel.8.xml:16
+msgid "delete a group"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: sss_groupdel.8.xml:21
+msgid ""
+"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</"
+"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></"
+"arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_groupdel.8.xml:32
+msgid ""
+"<command>sss_groupdel</command> deletes a group identified by its name "
+"<replaceable>GROUP</replaceable> from the system."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_groupdel.8.xml:48
+msgid ""
+"<citerefentry> <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupmod</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_useradd</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_usermod</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15
+msgid "sss_groupshow"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sss_groupshow.8.xml:16
+msgid "print properties of a group"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: sss_groupshow.8.xml:21
+msgid ""
+"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</"
+"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></"
+"arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_groupshow.8.xml:32
+msgid ""
+"<command>sss_groupshow</command> displays information about a group "
+"identified by its name <replaceable>GROUP</replaceable>. The information "
+"includes the group ID number, members of the group and the parent group."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_groupshow.8.xml:43
+msgid "<option>-R</option>,<option>--recursive</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_groupshow.8.xml:47
+msgid ""
+"Also print indirect group members in a tree-like hierarchy.  Note that this "
+"also affects printing parent groups - without <option>R</option>, only the "
+"direct parent will be printed."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_groupshow.8.xml:60
+msgid ""
+"<citerefentry> <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupmod</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_userdel</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sss_usermod.8.xml:10 sss_usermod.8.xml:15
+msgid "sss_usermod"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sss_usermod.8.xml:16
+msgid "modify a user account"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: sss_usermod.8.xml:21
+msgid ""
+"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</"
+"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></"
+"arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_usermod.8.xml:32
+msgid ""
+"<command>sss_usermod</command> modifies the account specified by "
+"<replaceable>LOGIN</replaceable> to reflect the changes that are specified "
+"on the command line."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_usermod.8.xml:60
+msgid "The home directory of the user account."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_usermod.8.xml:71
+msgid "The user's login shell."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_usermod.8.xml:82
+msgid ""
+"Append this user to groups specified by the <replaceable>GROUPS</"
+"replaceable> parameter.  The <replaceable>GROUPS</replaceable> parameter is "
+"a comma separated list of group names."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_usermod.8.xml:96
+msgid ""
+"Remove this user from groups specified by the <replaceable>GROUPS</"
+"replaceable> parameter."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_usermod.8.xml:103
+msgid "<option>-l</option>,<option>--lock</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_usermod.8.xml:107
+msgid "Lock the user account. The user won't be able to log in."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_usermod.8.xml:114
+msgid "<option>-u</option>,<option>--unlock</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_usermod.8.xml:118
+msgid "Unlock the user account."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_usermod.8.xml:129
+msgid "The SELinux user for the user's login."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_usermod.8.xml:140
+msgid ""
+"<citerefentry> <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupdel</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_groupmod</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_groupshow</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_userdel</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>."
+msgstr ""
+
+#. type: Content of: <refsect1><title>
+#: include/service_discovery.xml:2
+msgid "SERVICE DISCOVERY"
+msgstr ""
+
+#. type: Content of: <refsect1><para>
+#: include/service_discovery.xml:4
+msgid ""
+"The service discovery feature allows back ends to automatically find the "
+"appropriate servers to connect to using a special DNS query."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/service_discovery.xml:9
+msgid "Configuration"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/service_discovery.xml:11
+msgid ""
+"If no servers are specified, the back end automatically uses service "
+"discovery to try to find a server. Optionally, the user may choose to use "
+"both fixed server addresses and service discovery by inserting a special "
+"keyword, <quote>_srv_</quote>, in the list of servers. The order of "
+"preference is maintained. This feature is useful if, for example, the user "
+"prefers to use service discovery whenever possible, and fall back to a "
+"specific server when no servers can be discovered using DNS."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/service_discovery.xml:23
+msgid "The domain name"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/service_discovery.xml:25
+msgid ""
+"Please refer to the <quote>dns_discovery_domain</quote> parameter in the "
+"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> manual page for more details."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/service_discovery.xml:35
+msgid "The protocol"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/service_discovery.xml:37
+msgid ""
+"The queries usually specify _tcp as the protocol. Exceptions are documented "
+"in respective option description."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/service_discovery.xml:42
+msgid "See Also"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/service_discovery.xml:44
+msgid ""
+"For more information on the service discovery mechanism, refer to RFC 2782."
+msgstr ""
+
+#. type: Content of: outside any tag (error?)
+#: include/upstream.xml:1
+msgid "<placeholder type=\"refentryinfo\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <refsect1><title>
+#: include/failover.xml:2
+msgid "FAILOVER"
+msgstr ""
+
+#. type: Content of: <refsect1><para>
+#: include/failover.xml:4
+msgid ""
+"The failover feature allows back ends to automatically switch to a different "
+"server if the primary server fails."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/failover.xml:8
+msgid "Failover Syntax"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/failover.xml:10
+msgid ""
+"The list of servers is given as a comma-separated list; any number of spaces "
+"is allowed around the comma. The servers are listed in order of preference. "
+"The list can contain any number of servers."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/failover.xml:17
+msgid "The Failover Mechanism"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/failover.xml:19
+msgid ""
+"The failover mechanism distinguishes between a machine and a service. The "
+"back end first tries to resolve the hostname of a given machine; if this "
+"resolution attempt fails, the machine is considered offline. No further "
+"attempts are made to connect to this machine for any other service. If the "
+"resolution attempt succeeds, the back end tries to connect to a service on "
+"this machine. If the service connection attempt fails, then only this "
+"particular service is considered offline and the back end automatically "
+"switches over to the next service.  The machine is still considered online "
+"and might still be tried for another service."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/failover.xml:32
+msgid ""
+"Further connection attempts are made to machines or services marked as "
+"offline after a specified period of time; this is currently hard coded to 30 "
+"seconds."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/failover.xml:37
+msgid ""
+"If there are no more machines to try, the back end as a whole switches to "
+"offline mode, and then attempts to reconnect every 30 seconds."
+msgstr ""
+
+#. type: Content of: <varlistentry><term>
+#: include/param_help.xml:3
+msgid "<option>-h</option>,<option>--help</option>"
+msgstr ""
+
+#. type: Content of: <varlistentry><listitem><para>
+#: include/param_help.xml:7
+msgid "Display help message and exit."
+msgstr ""
diff --git a/src/man/po/bn_IN.po b/src/man/po/bn_IN.po
index 1a1433a9..a4dd568a 100644
--- a/src/man/po/bn_IN.po
+++ b/src/man/po/bn_IN.po
@@ -2,12 +2,13 @@
 # Copyright (C) YEAR Red Hat
 # This file is distributed under the same license as the sssd-docs package.
 #
+# Translators:
 msgid ""
 msgstr ""
 "Project-Id-Version: SSSD\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2011-08-29 10:42-0300\n"
-"PO-Revision-Date: 2011-08-05 11:38+0000\n"
+"POT-Creation-Date: 2011-10-18 13:34-0300\n"
+"PO-Revision-Date: 2010-12-23 15:35+0000\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Bengali (India) <anubad@lists.ankur.org.in>\n"
 "Language: bn_IN\n"
@@ -52,7 +53,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:41
+#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:44
 #: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21
 #: sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_useradd.8.xml:30
 #: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30
@@ -68,7 +69,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:39 pam_sss.8.xml:48 sssd.8.xml:42 sss_obfuscate.8.xml:58
+#: sss_groupmod.8.xml:39 pam_sss.8.xml:51 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
 msgid "OPTIONS"
@@ -104,10 +105,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1106 sssd-ldap.5.xml:1432
-#: pam_sss.8.xml:128 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
+#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1130 sssd-ldap.5.xml:1432
+#: pam_sss.8.xml:139 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
 #: sssd-ipa.5.xml:248 sssd.8.xml:166 sss_obfuscate.8.xml:103
-#: sss_useradd.8.xml:167 sssd-krb5.5.xml:424 sss_groupadd.8.xml:58
+#: sss_useradd.8.xml:167 sssd-krb5.5.xml:427 sss_groupadd.8.xml:58
 #: sss_userdel.8.xml:93 sss_groupdel.8.xml:46 sss_groupshow.8.xml:58
 #: sss_usermod.8.xml:138
 msgid "SEE ALSO"
@@ -213,7 +214,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:70 sssd.conf.5.xml:952
+#: sssd.conf.5.xml:70 sssd.conf.5.xml:976
 msgid "Section parameters"
 msgstr ""
 
@@ -246,19 +247,19 @@ msgid "Supported services: nss, pam"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:93 sssd.conf.5.xml:234
+#: sssd.conf.5.xml:93 sssd.conf.5.xml:254
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:96 sssd.conf.5.xml:237
+#: sssd.conf.5.xml:96 sssd.conf.5.xml:257
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:101 sssd.conf.5.xml:242
+#: sssd.conf.5.xml:101 sssd.conf.5.xml:262
 msgid "Default: 3"
 msgstr ""
 
@@ -365,6 +366,32 @@ msgid ""
 "unavailable. On these platforms, polling will always be used."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:189
+msgid "krb5_rcache_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:192
+msgid ""
+"Directory on the filesystem where SSSD should store Kerberos replay cache "
+"files."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:196
+msgid ""
+"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
+"SSSD to let libkrb5 decide the appropriate location for the replay cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:202
+msgid ""
+"Default: Distribution-specific and specified at build-time. "
+"(__LIBKRB5_DEFAULTS__ if not configured)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:63
 msgid ""
@@ -377,12 +404,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:195
+#: sssd.conf.5.xml:215
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:197
+#: sssd.conf.5.xml:217
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -391,55 +418,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:204
+#: sssd.conf.5.xml:224
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:206
+#: sssd.conf.5.xml:226
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:210
+#: sssd.conf.5.xml:230
 msgid "debug_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:213
+#: sssd.conf.5.xml:233
 msgid ""
 "Sets the debug level for the service. The value can be in range from 0 (only "
 "critical messages) to 10 (very verbose)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:218 sssd.conf.5.xml:312
+#: sssd.conf.5.xml:238 sssd.conf.5.xml:332
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:223 sssd.8.xml:58
+#: sssd.conf.5.xml:243 sssd.8.xml:58
 msgid "debug_timestamps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:226 sssd.8.xml:61
+#: sssd.conf.5.xml:246 sssd.8.xml:61
 msgid "Add a timestamp to the debug messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:229 sssd.conf.5.xml:353 sssd-ldap.5.xml:1058
+#: sssd.conf.5.xml:249 sssd.conf.5.xml:373 sssd-ldap.5.xml:1058
 #: sssd-ldap.5.xml:1163 sssd-ipa.5.xml:155
 msgid "Default: true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:247
+#: sssd.conf.5.xml:267
 msgid "command (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:250
+#: sssd.conf.5.xml:270
 msgid ""
 "By default, the executable representing this service is called <command>sssd_"
 "${service_name}</command>.  This directive allows to change the executable "
@@ -448,45 +475,45 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:258
+#: sssd.conf.5.xml:278
 msgid "Default: <command>sssd_${service_name}</command>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:266
+#: sssd.conf.5.xml:286
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:268
+#: sssd.conf.5.xml:288
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:273
+#: sssd.conf.5.xml:293
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:276
+#: sssd.conf.5.xml:296
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:280
+#: sssd.conf.5.xml:300
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:285
+#: sssd.conf.5.xml:305
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:288
+#: sssd.conf.5.xml:308
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -494,7 +521,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:294
+#: sssd.conf.5.xml:314
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -504,7 +531,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304
+#: sssd.conf.5.xml:324
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -513,12 +540,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:317
+#: sssd.conf.5.xml:337
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:320
+#: sssd.conf.5.xml:340
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -526,17 +553,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:326 sssd-krb5.5.xml:223
+#: sssd.conf.5.xml:346 sssd-krb5.5.xml:223
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:331
+#: sssd.conf.5.xml:351
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:334
+#: sssd.conf.5.xml:354
 msgid ""
 "Exclude certain users from being fetched from the sss NSS database. This is "
 "particularly useful for system accounts. This option can also be set per-"
@@ -545,78 +572,78 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:341
+#: sssd.conf.5.xml:361
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:346
+#: sssd.conf.5.xml:366
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:369
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:358
+#: sssd.conf.5.xml:378
 msgid "override_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:367 sssd-krb5.5.xml:166
+#: sssd.conf.5.xml:387 sssd-krb5.5.xml:166
 msgid "%u"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:368 sssd-krb5.5.xml:167
+#: sssd.conf.5.xml:388 sssd-krb5.5.xml:167
 msgid "login name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:371 sssd-krb5.5.xml:170
+#: sssd.conf.5.xml:391 sssd-krb5.5.xml:170
 msgid "%U"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:392
 msgid "UID number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:375 sssd-krb5.5.xml:188
+#: sssd.conf.5.xml:395 sssd-krb5.5.xml:188
 msgid "%d"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:376
+#: sssd.conf.5.xml:396
 msgid "domain name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:379
+#: sssd.conf.5.xml:399
 msgid "%f"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:380
+#: sssd.conf.5.xml:400
 msgid "fully qualified user name (user@domain)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:383 sssd-krb5.5.xml:200
+#: sssd.conf.5.xml:403 sssd-krb5.5.xml:200
 msgid "%%"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:384 sssd-krb5.5.xml:201
+#: sssd.conf.5.xml:404 sssd-krb5.5.xml:201
 msgid "a literal '%'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:361
+#: sssd.conf.5.xml:381
 msgid ""
 "Override the user's home directory. You can either provide an absolute value "
 "or a template. In the template, the following sequences are substituted: "
@@ -624,138 +651,138 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:390
+#: sssd.conf.5.xml:410
 msgid "This option can also be set per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:395
+#: sssd.conf.5.xml:415
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:398
+#: sssd.conf.5.xml:418
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:401
+#: sssd.conf.5.xml:421
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:405
+#: sssd.conf.5.xml:425
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:410
+#: sssd.conf.5.xml:430
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:415
+#: sssd.conf.5.xml:435
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:418
+#: sssd.conf.5.xml:438
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:422
+#: sssd.conf.5.xml:442
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:427
+#: sssd.conf.5.xml:447
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:430
+#: sssd.conf.5.xml:450
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:435
+#: sssd.conf.5.xml:455
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:438
+#: sssd.conf.5.xml:458
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:442
+#: sssd.conf.5.xml:462
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:469
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:451
+#: sssd.conf.5.xml:471
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:456
+#: sssd.conf.5.xml:476
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:459
+#: sssd.conf.5.xml:479
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:464 sssd.conf.5.xml:477
+#: sssd.conf.5.xml:484 sssd.conf.5.xml:497
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:490
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:473
+#: sssd.conf.5.xml:493
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:483
+#: sssd.conf.5.xml:503
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:506
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:491
+#: sssd.conf.5.xml:511
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -763,59 +790,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:497 sssd.conf.5.xml:550 sssd.conf.5.xml:882
+#: sssd.conf.5.xml:517 sssd.conf.5.xml:570 sssd.conf.5.xml:906
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:523
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:506
+#: sssd.conf.5.xml:526
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:511
+#: sssd.conf.5.xml:531
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:514
+#: sssd.conf.5.xml:534
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:517
+#: sssd.conf.5.xml:537
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:541
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:524
+#: sssd.conf.5.xml:544
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:528
+#: sssd.conf.5.xml:548
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:533
+#: sssd.conf.5.xml:553
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:536
+#: sssd.conf.5.xml:556
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -823,7 +850,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:542
+#: sssd.conf.5.xml:562
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -832,17 +859,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:556
+#: sssd.conf.5.xml:576
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:559
+#: sssd.conf.5.xml:579
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:562
+#: sssd.conf.5.xml:582
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -850,29 +877,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:588
 msgid "Default: 7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:577
+#: sssd.conf.5.xml:597
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:584
+#: sssd.conf.5.xml:604
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:587
+#: sssd.conf.5.xml:607
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:592
+#: sssd.conf.5.xml:612
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -881,56 +908,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:599
+#: sssd.conf.5.xml:619
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:625
 msgid "timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:608
+#: sssd.conf.5.xml:628
 msgid ""
 "Timeout in seconds between heartbeats for this domain.  This is used to "
 "ensure that the backend process is alive and capable of answering requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:633
 msgid "Default: 10"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:639
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:642
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:626
+#: sssd.conf.5.xml:646
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:629
+#: sssd.conf.5.xml:649
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:632 sssd.conf.5.xml:680 sssd.conf.5.xml:734
+#: sssd.conf.5.xml:652 sssd.conf.5.xml:704 sssd.conf.5.xml:758
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:635
+#: sssd.conf.5.xml:655
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -940,14 +967,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:645
+#: sssd.conf.5.xml:665
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:650
+#: sssd.conf.5.xml:670
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -956,39 +983,44 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:661
+#: sssd.conf.5.xml:681
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:664
+#: sssd.conf.5.xml:684
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:688
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:693
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676
+#: sssd.conf.5.xml:696
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:700
+msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:685
+#: sssd.conf.5.xml:709
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:688
+#: sssd.conf.5.xml:712
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -997,47 +1029,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:695
+#: sssd.conf.5.xml:719
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:725
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:728
 msgid "The Data Provider identity backend to use for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:708
+#: sssd.conf.5.xml:732
 msgid "Supported backends:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:711
+#: sssd.conf.5.xml:735
 msgid "proxy: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:714
+#: sssd.conf.5.xml:738
 msgid "local: SSSD internal local provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:717
+#: sssd.conf.5.xml:741
 msgid "ldap: LDAP provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:747
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:750
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -1046,19 +1078,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:739
+#: sssd.conf.5.xml:763
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:766
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:746
+#: sssd.conf.5.xml:770
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1066,7 +1098,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:777
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1074,30 +1106,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:784
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:787
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:766
+#: sssd.conf.5.xml:790
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:796
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:775
+#: sssd.conf.5.xml:799
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -1105,17 +1137,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:781
+#: sssd.conf.5.xml:805
 msgid "<quote>permit</quote> always allow access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:784
+#: sssd.conf.5.xml:808
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:811
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -1124,24 +1156,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:818
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:823
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:826
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:831
 msgid ""
 "<quote>ipa</quote> to change a password stored in an IPA server.  See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -1149,7 +1181,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:815
+#: sssd.conf.5.xml:839
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -1157,7 +1189,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:823
+#: sssd.conf.5.xml:847
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1165,72 +1197,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:831
+#: sssd.conf.5.xml:855
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:835
+#: sssd.conf.5.xml:859
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838
+#: sssd.conf.5.xml:862
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:845
+#: sssd.conf.5.xml:869
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:848
+#: sssd.conf.5.xml:872
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:876
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:855
+#: sssd.conf.5.xml:879
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:858
+#: sssd.conf.5.xml:882
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:861
+#: sssd.conf.5.xml:885
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:864
+#: sssd.conf.5.xml:888
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:867
+#: sssd.conf.5.xml:891
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:873
+#: sssd.conf.5.xml:897
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:876
+#: sssd.conf.5.xml:900
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -1238,34 +1270,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:912
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:891
+#: sssd.conf.5.xml:915
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:919
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:901
+#: sssd.conf.5.xml:925
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:904
+#: sssd.conf.5.xml:928
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:579
+#: sssd.conf.5.xml:599
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -1273,29 +1305,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:940
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:943
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:922
+#: sssd.conf.5.xml:946
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:954
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:933
+#: sssd.conf.5.xml:957
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -1303,19 +1335,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:912
+#: sssd.conf.5.xml:936
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:945
+#: sssd.conf.5.xml:969
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:971
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -1323,73 +1355,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:954
+#: sssd.conf.5.xml:978
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:981
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:985
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:966
+#: sssd.conf.5.xml:990
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:969
+#: sssd.conf.5.xml:993
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974
+#: sssd.conf.5.xml:998
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1003
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1006
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986 sssd.conf.5.xml:998
+#: sssd.conf.5.xml:1010 sssd.conf.5.xml:1022
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:991
+#: sssd.conf.5.xml:1015
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:994
+#: sssd.conf.5.xml:1018
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1003
+#: sssd.conf.5.xml:1027
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1030
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -1397,17 +1429,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014
+#: sssd.conf.5.xml:1038
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1043
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1022
+#: sssd.conf.5.xml:1046
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -1416,17 +1448,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:1056
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1037
+#: sssd.conf.5.xml:1061
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1040
+#: sssd.conf.5.xml:1064
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -1434,17 +1466,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1047
+#: sssd.conf.5.xml:1071
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1076
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1055
+#: sssd.conf.5.xml:1079
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -1452,18 +1484,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1061
+#: sssd.conf.5.xml:1085
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1071 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
-#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:405
+#: sssd.conf.5.xml:1095 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
+#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:408
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:1077
+#: sssd.conf.5.xml:1101
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -1493,7 +1525,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1073
+#: sssd.conf.5.xml:1097
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -1502,7 +1534,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1108
+#: sssd.conf.5.xml:1132
 msgid ""
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
@@ -1602,10 +1634,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:88
 msgid ""
-"Specifies the list of URIs of the LDAP servers to which SSSD should connect "
-"in the order of preference to change the password of a user. Refer to the "
-"<quote>FAILOVER</quote> section for more information on failover and server "
-"redundancy."
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference to change the password of a user. "
+"Refer to the <quote>FAILOVER</quote> section for more information on "
+"failover and server redundancy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -2085,7 +2117,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:519 sssd-ldap.5.xml:990 sssd-ipa.5.xml:115 sssd.8.xml:64
-#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:266
+#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:269
 msgid "Default: false"
 msgstr ""
 
@@ -2526,7 +2558,7 @@ msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:356
+#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:359
 msgid "Default: not set"
 msgstr ""
 
@@ -2667,12 +2699,13 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:1080 sssd-krb5.5.xml:77
 msgid ""
-"Specifies the list of IP addresses or hostnames of the Kerberos servers to "
-"which SSSD should connect in the order of preference. For more information "
-"on failover and server redundancy, see the <quote>FAILOVER</quote> section. "
-"An optional port number (preceded by a colon) may be appended to the "
-"addresses or hostnames.  If empty, service discovery is enabled - for more "
-"information, refer to the <quote>SERVICE DISCOVERY</quote> section."
+"Specifies the comma-separated list of IP addresses or hostnames of the "
+"Kerberos servers to which SSSD should connect in the order of preference. "
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
+"colon) may be appended to the addresses or hostnames.  If empty, service "
+"discovery is enabled - for more information, refer to the <quote>SERVICE "
+"DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -3057,7 +3090,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ldap.5.xml:1407 sssd-simple.5.xml:134 sssd-ipa.5.xml:238
-#: sssd-krb5.5.xml:414
+#: sssd-krb5.5.xml:417
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -3104,7 +3137,8 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
 #: pam_sss.8.xml:24
 msgid ""
-"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>forward_pass</"
+"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
@@ -3112,7 +3146,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:42
+#: pam_sss.8.xml:45
 msgid ""
 "<command>pam_sss.so</command> is the PAM interface to the System Security "
 "Services daemon (SSSD). Errors and results are logged through <command>syslog"
@@ -3120,24 +3154,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:52
+#: pam_sss.8.xml:55
+msgid "<option>quiet</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:58
+msgid "Suppress log messages for unknown users."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:63
 msgid "<option>forward_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:55
+#: pam_sss.8.xml:66
 msgid ""
 "If <option>forward_pass</option> is set the entered password is put on the "
 "stack for other PAM modules to use."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:62
+#: pam_sss.8.xml:73
 msgid "<option>use_first_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:65
+#: pam_sss.8.xml:76
 msgid ""
 "The argument use_first_pass forces the module to use a previous stacked "
 "modules password and will never prompt the user - if no password is "
@@ -3145,31 +3189,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:73
+#: pam_sss.8.xml:84
 msgid "<option>use_authtok</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:76
+#: pam_sss.8.xml:87
 msgid ""
 "When password changing enforce the module to set the new password to the one "
 "provided by a previously stacked password module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:83
+#: pam_sss.8.xml:94
 msgid "<option>retry=N</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:86
+#: pam_sss.8.xml:97
 msgid ""
 "If specified the user is asked another N times for a password if "
 "authentication fails. Default is 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:88
+#: pam_sss.8.xml:99
 msgid ""
 "Please note that this option might not work as expected if the application "
 "calling PAM handles the user dialog on its own. A typical example is "
@@ -3177,24 +3221,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:99
+#: pam_sss.8.xml:110
 msgid "MODULE TYPES PROVIDED"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:100
+#: pam_sss.8.xml:111
 msgid ""
 "All module types (<option>account</option>, <option>auth</option>, "
 "<option>password</option> and <option>session</option>) are provided."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:106
+#: pam_sss.8.xml:117
 msgid "FILES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:107
+#: pam_sss.8.xml:118
 msgid ""
 "If a password reset by root fails, because the corresponding SSSD provider "
 "does not support password resets, an individual message can be displayed. "
@@ -3202,7 +3246,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:112
+#: pam_sss.8.xml:123
 msgid ""
 "The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
 "filename> where LOC stands for a locale string returned by <citerefentry> "
@@ -3214,7 +3258,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:122
+#: pam_sss.8.xml:133
 msgid ""
 "These files are searched in the directory <filename>/etc/sssd/customize/"
 "DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
@@ -3222,7 +3266,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:130
+#: pam_sss.8.xml:141
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>8</"
 "manvolnum> </citerefentry>"
@@ -3482,11 +3526,11 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ipa.5.xml:83
 msgid ""
-"The list of IP addresses or hostnames of the IPA servers to which SSSD "
-"should connect in the order of preference. For more information on failover "
-"and server redundancy, see the <quote>FAILOVER</quote> section.  This is "
-"optional if autodiscovery is enabled.  For more information on service "
-"discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
+"The comma-separated list of IP addresses or hostnames of the IPA servers to "
+"which SSSD should connect in the order of preference. For more information "
+"on failover and server redundancy, see the <quote>FAILOVER</quote> section.  "
+"This is optional if autodiscovery is enabled.  For more information on "
+"service discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
@@ -4302,48 +4346,50 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:262
 msgid ""
-"Please note that this feature currently only available on a Linux platform."
+"Please note that this feature currently only available on a Linux platform. "
+"Passwords stored in this way are kept in plaintext in the kernel keyring and "
+"are potentially accessible by the root user (with difficulty)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:272
+#: sssd-krb5.5.xml:275
 msgid "krb5_renewable_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:275
+#: sssd-krb5.5.xml:278
 msgid ""
 "Request a renewable ticket with a total lifetime given by an integer "
 "immediately followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:280 sssd-krb5.5.xml:316
+#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
 msgid "<emphasis>s</emphasis> seconds"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
+#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
 msgid "<emphasis>m</emphasis> minutes"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
+#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
 msgid "<emphasis>h</emphasis> hours"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
+#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
 msgid "<emphasis>d</emphasis> days."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
+#: sssd-krb5.5.xml:295 sssd-krb5.5.xml:331
 msgid "If there is no delimiter <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:296
+#: sssd-krb5.5.xml:299
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "renewable lifetime to one and a half hours please use '90m' instead of "
@@ -4351,97 +4397,97 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:302
+#: sssd-krb5.5.xml:305
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:308
+#: sssd-krb5.5.xml:311
 msgid "krb5_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:311
+#: sssd-krb5.5.xml:314
 msgid ""
 "Request ticket with a with a lifetime given by an integer immediately "
 "followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:332
+#: sssd-krb5.5.xml:335
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "lifetime to one and a half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:337
+#: sssd-krb5.5.xml:340
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:344
+#: sssd-krb5.5.xml:347
 msgid "krb5_renew_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:347
+#: sssd-krb5.5.xml:350
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:352
+#: sssd-krb5.5.xml:355
 msgid "If this option is not set or 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:362
+#: sssd-krb5.5.xml:365
 msgid "krb5_use_fast (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:365
+#: sssd-krb5.5.xml:368
 msgid ""
 "Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
 "authentication. The following options are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:370
+#: sssd-krb5.5.xml:373
 msgid ""
 "<emphasis>never</emphasis> use FAST, this is equivalent to not set this "
 "option at all."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:374
+#: sssd-krb5.5.xml:377
 msgid ""
 "<emphasis>try</emphasis> to use FAST, if the server does not support fast "
 "continue without."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:378
+#: sssd-krb5.5.xml:381
 msgid ""
 "<emphasis>demand</emphasis> to use FAST, fail if the server does not require "
 "fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:382
+#: sssd-krb5.5.xml:385
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:385
+#: sssd-krb5.5.xml:388
 msgid "Please note that a keytab is required to use fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:388
+#: sssd-krb5.5.xml:391
 msgid ""
 "Please note also that sssd supports fast only with MIT Kerberos version 1.8 "
 "and above. If sssd used used with an older version using this option is a "
@@ -4459,7 +4505,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:407
+#: sssd-krb5.5.xml:410
 msgid ""
 "The following example assumes that SSSD is correctly configured and FOO is "
 "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
@@ -4468,7 +4514,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-krb5.5.xml:415
+#: sssd-krb5.5.xml:418
 #, no-wrap
 msgid ""
 "    [domain/FOO]\n"
@@ -4478,7 +4524,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:426
+#: sssd-krb5.5.xml:429
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
diff --git a/src/man/po/ca.po b/src/man/po/ca.po
index 08fef170..c54aa81a 100644
--- a/src/man/po/ca.po
+++ b/src/man/po/ca.po
@@ -6,7 +6,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: SSSD\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2011-08-29 10:42-0300\n"
+"POT-Creation-Date: 2011-10-18 13:34-0300\n"
 "PO-Revision-Date: 2011-08-05 11:38+0000\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Catalan <fedora@llistes.softcatala.org>\n"
@@ -52,7 +52,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:41
+#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:44
 #: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21
 #: sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_useradd.8.xml:30
 #: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30
@@ -68,7 +68,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:39 pam_sss.8.xml:48 sssd.8.xml:42 sss_obfuscate.8.xml:58
+#: sss_groupmod.8.xml:39 pam_sss.8.xml:51 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
 msgid "OPTIONS"
@@ -104,10 +104,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1106 sssd-ldap.5.xml:1432
-#: pam_sss.8.xml:128 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
+#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1130 sssd-ldap.5.xml:1432
+#: pam_sss.8.xml:139 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
 #: sssd-ipa.5.xml:248 sssd.8.xml:166 sss_obfuscate.8.xml:103
-#: sss_useradd.8.xml:167 sssd-krb5.5.xml:424 sss_groupadd.8.xml:58
+#: sss_useradd.8.xml:167 sssd-krb5.5.xml:427 sss_groupadd.8.xml:58
 #: sss_userdel.8.xml:93 sss_groupdel.8.xml:46 sss_groupshow.8.xml:58
 #: sss_usermod.8.xml:138
 msgid "SEE ALSO"
@@ -213,7 +213,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:70 sssd.conf.5.xml:952
+#: sssd.conf.5.xml:70 sssd.conf.5.xml:976
 msgid "Section parameters"
 msgstr ""
 
@@ -246,19 +246,19 @@ msgid "Supported services: nss, pam"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:93 sssd.conf.5.xml:234
+#: sssd.conf.5.xml:93 sssd.conf.5.xml:254
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:96 sssd.conf.5.xml:237
+#: sssd.conf.5.xml:96 sssd.conf.5.xml:257
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:101 sssd.conf.5.xml:242
+#: sssd.conf.5.xml:101 sssd.conf.5.xml:262
 msgid "Default: 3"
 msgstr ""
 
@@ -365,6 +365,32 @@ msgid ""
 "unavailable. On these platforms, polling will always be used."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:189
+msgid "krb5_rcache_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:192
+msgid ""
+"Directory on the filesystem where SSSD should store Kerberos replay cache "
+"files."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:196
+msgid ""
+"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
+"SSSD to let libkrb5 decide the appropriate location for the replay cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:202
+msgid ""
+"Default: Distribution-specific and specified at build-time. "
+"(__LIBKRB5_DEFAULTS__ if not configured)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:63
 msgid ""
@@ -377,12 +403,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:195
+#: sssd.conf.5.xml:215
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:197
+#: sssd.conf.5.xml:217
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -391,55 +417,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:204
+#: sssd.conf.5.xml:224
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:206
+#: sssd.conf.5.xml:226
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:210
+#: sssd.conf.5.xml:230
 msgid "debug_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:213
+#: sssd.conf.5.xml:233
 msgid ""
 "Sets the debug level for the service. The value can be in range from 0 (only "
 "critical messages) to 10 (very verbose)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:218 sssd.conf.5.xml:312
+#: sssd.conf.5.xml:238 sssd.conf.5.xml:332
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:223 sssd.8.xml:58
+#: sssd.conf.5.xml:243 sssd.8.xml:58
 msgid "debug_timestamps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:226 sssd.8.xml:61
+#: sssd.conf.5.xml:246 sssd.8.xml:61
 msgid "Add a timestamp to the debug messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:229 sssd.conf.5.xml:353 sssd-ldap.5.xml:1058
+#: sssd.conf.5.xml:249 sssd.conf.5.xml:373 sssd-ldap.5.xml:1058
 #: sssd-ldap.5.xml:1163 sssd-ipa.5.xml:155
 msgid "Default: true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:247
+#: sssd.conf.5.xml:267
 msgid "command (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:250
+#: sssd.conf.5.xml:270
 msgid ""
 "By default, the executable representing this service is called <command>sssd_"
 "${service_name}</command>.  This directive allows to change the executable "
@@ -448,45 +474,45 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:258
+#: sssd.conf.5.xml:278
 msgid "Default: <command>sssd_${service_name}</command>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:266
+#: sssd.conf.5.xml:286
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:268
+#: sssd.conf.5.xml:288
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:273
+#: sssd.conf.5.xml:293
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:276
+#: sssd.conf.5.xml:296
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:280
+#: sssd.conf.5.xml:300
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:285
+#: sssd.conf.5.xml:305
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:288
+#: sssd.conf.5.xml:308
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -494,7 +520,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:294
+#: sssd.conf.5.xml:314
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -504,7 +530,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304
+#: sssd.conf.5.xml:324
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -513,12 +539,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:317
+#: sssd.conf.5.xml:337
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:320
+#: sssd.conf.5.xml:340
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -526,17 +552,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:326 sssd-krb5.5.xml:223
+#: sssd.conf.5.xml:346 sssd-krb5.5.xml:223
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:331
+#: sssd.conf.5.xml:351
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:334
+#: sssd.conf.5.xml:354
 msgid ""
 "Exclude certain users from being fetched from the sss NSS database. This is "
 "particularly useful for system accounts. This option can also be set per-"
@@ -545,78 +571,78 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:341
+#: sssd.conf.5.xml:361
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:346
+#: sssd.conf.5.xml:366
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:369
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:358
+#: sssd.conf.5.xml:378
 msgid "override_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:367 sssd-krb5.5.xml:166
+#: sssd.conf.5.xml:387 sssd-krb5.5.xml:166
 msgid "%u"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:368 sssd-krb5.5.xml:167
+#: sssd.conf.5.xml:388 sssd-krb5.5.xml:167
 msgid "login name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:371 sssd-krb5.5.xml:170
+#: sssd.conf.5.xml:391 sssd-krb5.5.xml:170
 msgid "%U"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:392
 msgid "UID number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:375 sssd-krb5.5.xml:188
+#: sssd.conf.5.xml:395 sssd-krb5.5.xml:188
 msgid "%d"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:376
+#: sssd.conf.5.xml:396
 msgid "domain name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:379
+#: sssd.conf.5.xml:399
 msgid "%f"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:380
+#: sssd.conf.5.xml:400
 msgid "fully qualified user name (user@domain)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:383 sssd-krb5.5.xml:200
+#: sssd.conf.5.xml:403 sssd-krb5.5.xml:200
 msgid "%%"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:384 sssd-krb5.5.xml:201
+#: sssd.conf.5.xml:404 sssd-krb5.5.xml:201
 msgid "a literal '%'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:361
+#: sssd.conf.5.xml:381
 msgid ""
 "Override the user's home directory. You can either provide an absolute value "
 "or a template. In the template, the following sequences are substituted: "
@@ -624,138 +650,138 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:390
+#: sssd.conf.5.xml:410
 msgid "This option can also be set per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:395
+#: sssd.conf.5.xml:415
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:398
+#: sssd.conf.5.xml:418
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:401
+#: sssd.conf.5.xml:421
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:405
+#: sssd.conf.5.xml:425
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:410
+#: sssd.conf.5.xml:430
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:415
+#: sssd.conf.5.xml:435
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:418
+#: sssd.conf.5.xml:438
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:422
+#: sssd.conf.5.xml:442
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:427
+#: sssd.conf.5.xml:447
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:430
+#: sssd.conf.5.xml:450
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:435
+#: sssd.conf.5.xml:455
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:438
+#: sssd.conf.5.xml:458
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:442
+#: sssd.conf.5.xml:462
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:469
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:451
+#: sssd.conf.5.xml:471
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:456
+#: sssd.conf.5.xml:476
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:459
+#: sssd.conf.5.xml:479
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:464 sssd.conf.5.xml:477
+#: sssd.conf.5.xml:484 sssd.conf.5.xml:497
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:490
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:473
+#: sssd.conf.5.xml:493
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:483
+#: sssd.conf.5.xml:503
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:506
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:491
+#: sssd.conf.5.xml:511
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -763,59 +789,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:497 sssd.conf.5.xml:550 sssd.conf.5.xml:882
+#: sssd.conf.5.xml:517 sssd.conf.5.xml:570 sssd.conf.5.xml:906
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:523
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:506
+#: sssd.conf.5.xml:526
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:511
+#: sssd.conf.5.xml:531
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:514
+#: sssd.conf.5.xml:534
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:517
+#: sssd.conf.5.xml:537
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:541
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:524
+#: sssd.conf.5.xml:544
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:528
+#: sssd.conf.5.xml:548
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:533
+#: sssd.conf.5.xml:553
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:536
+#: sssd.conf.5.xml:556
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -823,7 +849,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:542
+#: sssd.conf.5.xml:562
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -832,17 +858,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:556
+#: sssd.conf.5.xml:576
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:559
+#: sssd.conf.5.xml:579
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:562
+#: sssd.conf.5.xml:582
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -850,29 +876,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:588
 msgid "Default: 7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:577
+#: sssd.conf.5.xml:597
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:584
+#: sssd.conf.5.xml:604
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:587
+#: sssd.conf.5.xml:607
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:592
+#: sssd.conf.5.xml:612
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -881,56 +907,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:599
+#: sssd.conf.5.xml:619
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:625
 msgid "timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:608
+#: sssd.conf.5.xml:628
 msgid ""
 "Timeout in seconds between heartbeats for this domain.  This is used to "
 "ensure that the backend process is alive and capable of answering requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:633
 msgid "Default: 10"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:639
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:642
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:626
+#: sssd.conf.5.xml:646
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:629
+#: sssd.conf.5.xml:649
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:632 sssd.conf.5.xml:680 sssd.conf.5.xml:734
+#: sssd.conf.5.xml:652 sssd.conf.5.xml:704 sssd.conf.5.xml:758
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:635
+#: sssd.conf.5.xml:655
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -940,14 +966,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:645
+#: sssd.conf.5.xml:665
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:650
+#: sssd.conf.5.xml:670
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -956,39 +982,44 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:661
+#: sssd.conf.5.xml:681
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:664
+#: sssd.conf.5.xml:684
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:688
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:693
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676
+#: sssd.conf.5.xml:696
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:700
+msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:685
+#: sssd.conf.5.xml:709
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:688
+#: sssd.conf.5.xml:712
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -997,47 +1028,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:695
+#: sssd.conf.5.xml:719
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:725
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:728
 msgid "The Data Provider identity backend to use for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:708
+#: sssd.conf.5.xml:732
 msgid "Supported backends:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:711
+#: sssd.conf.5.xml:735
 msgid "proxy: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:714
+#: sssd.conf.5.xml:738
 msgid "local: SSSD internal local provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:717
+#: sssd.conf.5.xml:741
 msgid "ldap: LDAP provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:747
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:750
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -1046,19 +1077,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:739
+#: sssd.conf.5.xml:763
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:766
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:746
+#: sssd.conf.5.xml:770
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1066,7 +1097,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:777
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1074,30 +1105,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:784
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:787
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:766
+#: sssd.conf.5.xml:790
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:796
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:775
+#: sssd.conf.5.xml:799
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -1105,17 +1136,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:781
+#: sssd.conf.5.xml:805
 msgid "<quote>permit</quote> always allow access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:784
+#: sssd.conf.5.xml:808
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:811
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -1124,24 +1155,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:818
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:823
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:826
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:831
 msgid ""
 "<quote>ipa</quote> to change a password stored in an IPA server.  See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -1149,7 +1180,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:815
+#: sssd.conf.5.xml:839
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -1157,7 +1188,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:823
+#: sssd.conf.5.xml:847
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1165,72 +1196,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:831
+#: sssd.conf.5.xml:855
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:835
+#: sssd.conf.5.xml:859
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838
+#: sssd.conf.5.xml:862
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:845
+#: sssd.conf.5.xml:869
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:848
+#: sssd.conf.5.xml:872
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:876
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:855
+#: sssd.conf.5.xml:879
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:858
+#: sssd.conf.5.xml:882
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:861
+#: sssd.conf.5.xml:885
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:864
+#: sssd.conf.5.xml:888
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:867
+#: sssd.conf.5.xml:891
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:873
+#: sssd.conf.5.xml:897
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:876
+#: sssd.conf.5.xml:900
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -1238,34 +1269,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:912
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:891
+#: sssd.conf.5.xml:915
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:919
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:901
+#: sssd.conf.5.xml:925
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:904
+#: sssd.conf.5.xml:928
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:579
+#: sssd.conf.5.xml:599
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -1273,29 +1304,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:940
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:943
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:922
+#: sssd.conf.5.xml:946
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:954
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:933
+#: sssd.conf.5.xml:957
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -1303,19 +1334,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:912
+#: sssd.conf.5.xml:936
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:945
+#: sssd.conf.5.xml:969
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:971
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -1323,73 +1354,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:954
+#: sssd.conf.5.xml:978
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:981
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:985
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:966
+#: sssd.conf.5.xml:990
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:969
+#: sssd.conf.5.xml:993
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974
+#: sssd.conf.5.xml:998
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1003
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1006
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986 sssd.conf.5.xml:998
+#: sssd.conf.5.xml:1010 sssd.conf.5.xml:1022
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:991
+#: sssd.conf.5.xml:1015
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:994
+#: sssd.conf.5.xml:1018
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1003
+#: sssd.conf.5.xml:1027
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1030
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -1397,17 +1428,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014
+#: sssd.conf.5.xml:1038
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1043
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1022
+#: sssd.conf.5.xml:1046
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -1416,17 +1447,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:1056
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1037
+#: sssd.conf.5.xml:1061
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1040
+#: sssd.conf.5.xml:1064
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -1434,17 +1465,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1047
+#: sssd.conf.5.xml:1071
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1076
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1055
+#: sssd.conf.5.xml:1079
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -1452,18 +1483,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1061
+#: sssd.conf.5.xml:1085
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1071 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
-#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:405
+#: sssd.conf.5.xml:1095 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
+#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:408
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:1077
+#: sssd.conf.5.xml:1101
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -1493,7 +1524,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1073
+#: sssd.conf.5.xml:1097
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -1502,7 +1533,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1108
+#: sssd.conf.5.xml:1132
 msgid ""
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
@@ -1602,10 +1633,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:88
 msgid ""
-"Specifies the list of URIs of the LDAP servers to which SSSD should connect "
-"in the order of preference to change the password of a user. Refer to the "
-"<quote>FAILOVER</quote> section for more information on failover and server "
-"redundancy."
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference to change the password of a user. "
+"Refer to the <quote>FAILOVER</quote> section for more information on "
+"failover and server redundancy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -2085,7 +2116,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:519 sssd-ldap.5.xml:990 sssd-ipa.5.xml:115 sssd.8.xml:64
-#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:266
+#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:269
 msgid "Default: false"
 msgstr ""
 
@@ -2526,7 +2557,7 @@ msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:356
+#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:359
 msgid "Default: not set"
 msgstr ""
 
@@ -2667,12 +2698,13 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:1080 sssd-krb5.5.xml:77
 msgid ""
-"Specifies the list of IP addresses or hostnames of the Kerberos servers to "
-"which SSSD should connect in the order of preference. For more information "
-"on failover and server redundancy, see the <quote>FAILOVER</quote> section. "
-"An optional port number (preceded by a colon) may be appended to the "
-"addresses or hostnames.  If empty, service discovery is enabled - for more "
-"information, refer to the <quote>SERVICE DISCOVERY</quote> section."
+"Specifies the comma-separated list of IP addresses or hostnames of the "
+"Kerberos servers to which SSSD should connect in the order of preference. "
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
+"colon) may be appended to the addresses or hostnames.  If empty, service "
+"discovery is enabled - for more information, refer to the <quote>SERVICE "
+"DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -3057,7 +3089,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ldap.5.xml:1407 sssd-simple.5.xml:134 sssd-ipa.5.xml:238
-#: sssd-krb5.5.xml:414
+#: sssd-krb5.5.xml:417
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -3104,7 +3136,8 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
 #: pam_sss.8.xml:24
 msgid ""
-"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>forward_pass</"
+"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
@@ -3112,7 +3145,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:42
+#: pam_sss.8.xml:45
 msgid ""
 "<command>pam_sss.so</command> is the PAM interface to the System Security "
 "Services daemon (SSSD). Errors and results are logged through <command>syslog"
@@ -3120,24 +3153,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:52
+#: pam_sss.8.xml:55
+msgid "<option>quiet</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:58
+msgid "Suppress log messages for unknown users."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:63
 msgid "<option>forward_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:55
+#: pam_sss.8.xml:66
 msgid ""
 "If <option>forward_pass</option> is set the entered password is put on the "
 "stack for other PAM modules to use."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:62
+#: pam_sss.8.xml:73
 msgid "<option>use_first_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:65
+#: pam_sss.8.xml:76
 msgid ""
 "The argument use_first_pass forces the module to use a previous stacked "
 "modules password and will never prompt the user - if no password is "
@@ -3145,31 +3188,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:73
+#: pam_sss.8.xml:84
 msgid "<option>use_authtok</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:76
+#: pam_sss.8.xml:87
 msgid ""
 "When password changing enforce the module to set the new password to the one "
 "provided by a previously stacked password module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:83
+#: pam_sss.8.xml:94
 msgid "<option>retry=N</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:86
+#: pam_sss.8.xml:97
 msgid ""
 "If specified the user is asked another N times for a password if "
 "authentication fails. Default is 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:88
+#: pam_sss.8.xml:99
 msgid ""
 "Please note that this option might not work as expected if the application "
 "calling PAM handles the user dialog on its own. A typical example is "
@@ -3177,24 +3220,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:99
+#: pam_sss.8.xml:110
 msgid "MODULE TYPES PROVIDED"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:100
+#: pam_sss.8.xml:111
 msgid ""
 "All module types (<option>account</option>, <option>auth</option>, "
 "<option>password</option> and <option>session</option>) are provided."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:106
+#: pam_sss.8.xml:117
 msgid "FILES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:107
+#: pam_sss.8.xml:118
 msgid ""
 "If a password reset by root fails, because the corresponding SSSD provider "
 "does not support password resets, an individual message can be displayed. "
@@ -3202,7 +3245,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:112
+#: pam_sss.8.xml:123
 msgid ""
 "The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
 "filename> where LOC stands for a locale string returned by <citerefentry> "
@@ -3214,7 +3257,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:122
+#: pam_sss.8.xml:133
 msgid ""
 "These files are searched in the directory <filename>/etc/sssd/customize/"
 "DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
@@ -3222,7 +3265,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:130
+#: pam_sss.8.xml:141
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>8</"
 "manvolnum> </citerefentry>"
@@ -3482,11 +3525,11 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ipa.5.xml:83
 msgid ""
-"The list of IP addresses or hostnames of the IPA servers to which SSSD "
-"should connect in the order of preference. For more information on failover "
-"and server redundancy, see the <quote>FAILOVER</quote> section.  This is "
-"optional if autodiscovery is enabled.  For more information on service "
-"discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
+"The comma-separated list of IP addresses or hostnames of the IPA servers to "
+"which SSSD should connect in the order of preference. For more information "
+"on failover and server redundancy, see the <quote>FAILOVER</quote> section.  "
+"This is optional if autodiscovery is enabled.  For more information on "
+"service discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
@@ -4302,48 +4345,50 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:262
 msgid ""
-"Please note that this feature currently only available on a Linux platform."
+"Please note that this feature currently only available on a Linux platform. "
+"Passwords stored in this way are kept in plaintext in the kernel keyring and "
+"are potentially accessible by the root user (with difficulty)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:272
+#: sssd-krb5.5.xml:275
 msgid "krb5_renewable_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:275
+#: sssd-krb5.5.xml:278
 msgid ""
 "Request a renewable ticket with a total lifetime given by an integer "
 "immediately followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:280 sssd-krb5.5.xml:316
+#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
 msgid "<emphasis>s</emphasis> seconds"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
+#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
 msgid "<emphasis>m</emphasis> minutes"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
+#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
 msgid "<emphasis>h</emphasis> hours"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
+#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
 msgid "<emphasis>d</emphasis> days."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
+#: sssd-krb5.5.xml:295 sssd-krb5.5.xml:331
 msgid "If there is no delimiter <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:296
+#: sssd-krb5.5.xml:299
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "renewable lifetime to one and a half hours please use '90m' instead of "
@@ -4351,97 +4396,97 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:302
+#: sssd-krb5.5.xml:305
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:308
+#: sssd-krb5.5.xml:311
 msgid "krb5_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:311
+#: sssd-krb5.5.xml:314
 msgid ""
 "Request ticket with a with a lifetime given by an integer immediately "
 "followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:332
+#: sssd-krb5.5.xml:335
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "lifetime to one and a half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:337
+#: sssd-krb5.5.xml:340
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:344
+#: sssd-krb5.5.xml:347
 msgid "krb5_renew_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:347
+#: sssd-krb5.5.xml:350
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:352
+#: sssd-krb5.5.xml:355
 msgid "If this option is not set or 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:362
+#: sssd-krb5.5.xml:365
 msgid "krb5_use_fast (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:365
+#: sssd-krb5.5.xml:368
 msgid ""
 "Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
 "authentication. The following options are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:370
+#: sssd-krb5.5.xml:373
 msgid ""
 "<emphasis>never</emphasis> use FAST, this is equivalent to not set this "
 "option at all."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:374
+#: sssd-krb5.5.xml:377
 msgid ""
 "<emphasis>try</emphasis> to use FAST, if the server does not support fast "
 "continue without."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:378
+#: sssd-krb5.5.xml:381
 msgid ""
 "<emphasis>demand</emphasis> to use FAST, fail if the server does not require "
 "fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:382
+#: sssd-krb5.5.xml:385
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:385
+#: sssd-krb5.5.xml:388
 msgid "Please note that a keytab is required to use fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:388
+#: sssd-krb5.5.xml:391
 msgid ""
 "Please note also that sssd supports fast only with MIT Kerberos version 1.8 "
 "and above. If sssd used used with an older version using this option is a "
@@ -4459,7 +4504,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:407
+#: sssd-krb5.5.xml:410
 msgid ""
 "The following example assumes that SSSD is correctly configured and FOO is "
 "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
@@ -4468,7 +4513,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-krb5.5.xml:415
+#: sssd-krb5.5.xml:418
 #, no-wrap
 msgid ""
 "    [domain/FOO]\n"
@@ -4478,7 +4523,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:426
+#: sssd-krb5.5.xml:429
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
diff --git a/src/man/po/cs.po b/src/man/po/cs.po
index 4dc71791..d1361716 100644
--- a/src/man/po/cs.po
+++ b/src/man/po/cs.po
@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: sss_daemon 1.2.3\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2011-08-29 10:42-0300\n"
+"POT-Creation-Date: 2011-10-18 13:34-0300\n"
 "PO-Revision-Date: 2010-10-25 10:46+0300\n"
 "Last-Translator: Automatically generated\n"
 "Language-Team: none\n"
@@ -59,7 +59,7 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><title>
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:41
+#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:44
 #: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21
 #: sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_useradd.8.xml:30
 #: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30
@@ -77,7 +77,7 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><title>
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:39 pam_sss.8.xml:48 sssd.8.xml:42 sss_obfuscate.8.xml:58
+#: sss_groupmod.8.xml:39 pam_sss.8.xml:51 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
 msgid "OPTIONS"
@@ -118,10 +118,10 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><title>
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1106 sssd-ldap.5.xml:1432
-#: pam_sss.8.xml:128 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
+#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1130 sssd-ldap.5.xml:1432
+#: pam_sss.8.xml:139 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
 #: sssd-ipa.5.xml:248 sssd.8.xml:166 sss_obfuscate.8.xml:103
-#: sss_useradd.8.xml:167 sssd-krb5.5.xml:424 sss_groupadd.8.xml:58
+#: sss_useradd.8.xml:167 sssd-krb5.5.xml:427 sss_groupadd.8.xml:58
 #: sss_userdel.8.xml:93 sss_groupdel.8.xml:46 sss_groupshow.8.xml:58
 #: sss_usermod.8.xml:138
 msgid "SEE ALSO"
@@ -241,7 +241,7 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:70 sssd.conf.5.xml:952
+#: sssd.conf.5.xml:70 sssd.conf.5.xml:976
 msgid "Section parameters"
 msgstr ""
 
@@ -280,13 +280,13 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:93 sssd.conf.5.xml:234
+#: sssd.conf.5.xml:93 sssd.conf.5.xml:254
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:96 sssd.conf.5.xml:237
+#: sssd.conf.5.xml:96 sssd.conf.5.xml:257
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
@@ -294,7 +294,7 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:101 sssd.conf.5.xml:242
+#: sssd.conf.5.xml:101 sssd.conf.5.xml:262
 msgid "Default: 3"
 msgstr ""
 
@@ -415,6 +415,32 @@ msgid ""
 "unavailable. On these platforms, polling will always be used."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:189
+msgid "krb5_rcache_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:192
+msgid ""
+"Directory on the filesystem where SSSD should store Kerberos replay cache "
+"files."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:196
+msgid ""
+"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
+"SSSD to let libkrb5 decide the appropriate location for the replay cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:202
+msgid ""
+"Default: Distribution-specific and specified at build-time. "
+"(__LIBKRB5_DEFAULTS__ if not configured)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:63
 msgid ""
@@ -428,13 +454,13 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><title>
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:195
+#: sssd.conf.5.xml:215
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para>
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:197
+#: sssd.conf.5.xml:217
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -444,25 +470,25 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><title>
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:204
+#: sssd.conf.5.xml:224
 msgid "General service configuration options"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:206
+#: sssd.conf.5.xml:226
 msgid "These options can be used to configure any service."
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:210
+#: sssd.conf.5.xml:230
 msgid "debug_level (integer)"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:213
+#: sssd.conf.5.xml:233
 msgid ""
 "Sets the debug level for the service. The value can be in range from 0 (only "
 "critical messages) to 10 (very verbose)."
@@ -470,38 +496,38 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:218 sssd.conf.5.xml:312
+#: sssd.conf.5.xml:238 sssd.conf.5.xml:332
 msgid "Default: 0"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:223 sssd.8.xml:58
+#: sssd.conf.5.xml:243 sssd.8.xml:58
 msgid "debug_timestamps (bool)"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:226 sssd.8.xml:61
+#: sssd.conf.5.xml:246 sssd.8.xml:61
 msgid "Add a timestamp to the debug messages"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:229 sssd.conf.5.xml:353 sssd-ldap.5.xml:1058
+#: sssd.conf.5.xml:249 sssd.conf.5.xml:373 sssd-ldap.5.xml:1058
 #: sssd-ldap.5.xml:1163 sssd-ipa.5.xml:155
 msgid "Default: true"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:247
+#: sssd.conf.5.xml:267
 msgid "command (string)"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:250
+#: sssd.conf.5.xml:270
 msgid ""
 "By default, the executable representing this service is called <command>sssd_"
 "${service_name}</command>.  This directive allows to change the executable "
@@ -511,32 +537,32 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:258
+#: sssd.conf.5.xml:278
 msgid "Default: <command>sssd_${service_name}</command>"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><title>
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:266
+#: sssd.conf.5.xml:286
 msgid "NSS configuration options"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:268
+#: sssd.conf.5.xml:288
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:273
+#: sssd.conf.5.xml:293
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:276
+#: sssd.conf.5.xml:296
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
@@ -544,19 +570,19 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:280
+#: sssd.conf.5.xml:300
 msgid "Default: 120"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:285
+#: sssd.conf.5.xml:305
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:288
+#: sssd.conf.5.xml:308
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -565,7 +591,7 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:294
+#: sssd.conf.5.xml:314
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -576,7 +602,7 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304
+#: sssd.conf.5.xml:324
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -586,13 +612,13 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:317
+#: sssd.conf.5.xml:337
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:320
+#: sssd.conf.5.xml:340
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -601,18 +627,18 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:326 sssd-krb5.5.xml:223
+#: sssd.conf.5.xml:346 sssd-krb5.5.xml:223
 msgid "Default: 15"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:331
+#: sssd.conf.5.xml:351
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:334
+#: sssd.conf.5.xml:354
 msgid ""
 "Exclude certain users from being fetched from the sss NSS database. This is "
 "particularly useful for system accounts. This option can also be set per-"
@@ -622,86 +648,86 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:341
+#: sssd.conf.5.xml:361
 msgid "Default: root"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:346
+#: sssd.conf.5.xml:366
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:369
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:358
+#: sssd.conf.5.xml:378
 msgid "override_homedir (string)"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:367 sssd-krb5.5.xml:166
+#: sssd.conf.5.xml:387 sssd-krb5.5.xml:166
 msgid "%u"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:368 sssd-krb5.5.xml:167
+#: sssd.conf.5.xml:388 sssd-krb5.5.xml:167
 msgid "login name"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:371 sssd-krb5.5.xml:170
+#: sssd.conf.5.xml:391 sssd-krb5.5.xml:170
 msgid "%U"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:392
 msgid "UID number"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:375 sssd-krb5.5.xml:188
+#: sssd.conf.5.xml:395 sssd-krb5.5.xml:188
 msgid "%d"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:376
+#: sssd.conf.5.xml:396
 msgid "domain name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:379
+#: sssd.conf.5.xml:399
 msgid "%f"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:380
+#: sssd.conf.5.xml:400
 msgid "fully qualified user name (user@domain)"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:383 sssd-krb5.5.xml:200
+#: sssd.conf.5.xml:403 sssd-krb5.5.xml:200
 msgid "%%"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:384 sssd-krb5.5.xml:201
+#: sssd.conf.5.xml:404 sssd-krb5.5.xml:201
 msgid "a literal '%'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:361
+#: sssd.conf.5.xml:381
 msgid ""
 "Override the user's home directory. You can either provide an absolute value "
 "or a template. In the template, the following sequences are substituted: "
@@ -709,92 +735,92 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:390
+#: sssd.conf.5.xml:410
 msgid "This option can also be set per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:395
+#: sssd.conf.5.xml:415
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:398
+#: sssd.conf.5.xml:418
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:401
+#: sssd.conf.5.xml:421
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:405
+#: sssd.conf.5.xml:425
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:410
+#: sssd.conf.5.xml:430
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:415
+#: sssd.conf.5.xml:435
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:418
+#: sssd.conf.5.xml:438
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:422
+#: sssd.conf.5.xml:442
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:427
+#: sssd.conf.5.xml:447
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:430
+#: sssd.conf.5.xml:450
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:435
+#: sssd.conf.5.xml:455
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:438
+#: sssd.conf.5.xml:458
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:442
+#: sssd.conf.5.xml:462
 msgid "Default: /bin/sh"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><title>
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:469
 msgid "PAM configuration options"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:451
+#: sssd.conf.5.xml:471
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
@@ -802,13 +828,13 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:456
+#: sssd.conf.5.xml:476
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:459
+#: sssd.conf.5.xml:479
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
@@ -816,19 +842,19 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:464 sssd.conf.5.xml:477
+#: sssd.conf.5.xml:484 sssd.conf.5.xml:497
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:490
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:473
+#: sssd.conf.5.xml:493
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
@@ -836,13 +862,13 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:483
+#: sssd.conf.5.xml:503
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:506
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
@@ -850,7 +876,7 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:491
+#: sssd.conf.5.xml:511
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -859,19 +885,19 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:497 sssd.conf.5.xml:550 sssd.conf.5.xml:882
+#: sssd.conf.5.xml:517 sssd.conf.5.xml:570 sssd.conf.5.xml:906
 msgid "Default: 5"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:523
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:506
+#: sssd.conf.5.xml:526
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
@@ -879,47 +905,47 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:511
+#: sssd.conf.5.xml:531
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:514
+#: sssd.conf.5.xml:534
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:517
+#: sssd.conf.5.xml:537
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:541
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:524
+#: sssd.conf.5.xml:544
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:528
+#: sssd.conf.5.xml:548
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:533
+#: sssd.conf.5.xml:553
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:536
+#: sssd.conf.5.xml:556
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -927,7 +953,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:542
+#: sssd.conf.5.xml:562
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -936,17 +962,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:556
+#: sssd.conf.5.xml:576
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:559
+#: sssd.conf.5.xml:579
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:562
+#: sssd.conf.5.xml:582
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -954,25 +980,25 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:588
 msgid "Default: 7"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><title>
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:577
+#: sssd.conf.5.xml:597
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:584
+#: sssd.conf.5.xml:604
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:587
+#: sssd.conf.5.xml:607
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
@@ -980,7 +1006,7 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:592
+#: sssd.conf.5.xml:612
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -990,19 +1016,19 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:599
+#: sssd.conf.5.xml:619
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:625
 msgid "timeout (integer)"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:608
+#: sssd.conf.5.xml:628
 msgid ""
 "Timeout in seconds between heartbeats for this domain.  This is used to "
 "ensure that the backend process is alive and capable of answering requests."
@@ -1010,19 +1036,19 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:633
 msgid "Default: 10"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:639
 msgid "enumerate (bool)"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:642
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
@@ -1030,25 +1056,25 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:626
+#: sssd.conf.5.xml:646
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:629
+#: sssd.conf.5.xml:649
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:632 sssd.conf.5.xml:680 sssd.conf.5.xml:734
+#: sssd.conf.5.xml:652 sssd.conf.5.xml:704 sssd.conf.5.xml:758
 msgid "Default: FALSE"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:635
+#: sssd.conf.5.xml:655
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -1058,7 +1084,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:645
+#: sssd.conf.5.xml:665
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
@@ -1066,7 +1092,7 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:650
+#: sssd.conf.5.xml:670
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -1076,13 +1102,13 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:661
+#: sssd.conf.5.xml:681
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:664
+#: sssd.conf.5.xml:684
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
@@ -1090,31 +1116,36 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:688
 msgid "Default: 5400"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:693
 msgid "cache_credentials (bool)"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676
+#: sssd.conf.5.xml:696
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:700
+msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+msgstr ""
+
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:685
+#: sssd.conf.5.xml:709
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:688
+#: sssd.conf.5.xml:712
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -1124,55 +1155,55 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:695
+#: sssd.conf.5.xml:719
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:725
 msgid "id_provider (string)"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:728
 msgid "The Data Provider identity backend to use for this domain."
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:708
+#: sssd.conf.5.xml:732
 msgid "Supported backends:"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:711
+#: sssd.conf.5.xml:735
 msgid "proxy: Support a legacy NSS provider"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:714
+#: sssd.conf.5.xml:738
 msgid "local: SSSD internal local provider"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:717
+#: sssd.conf.5.xml:741
 msgid "ldap: LDAP provider"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:747
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:750
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -1182,13 +1213,13 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:739
+#: sssd.conf.5.xml:763
 msgid "auth_provider (string)"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:766
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
@@ -1196,7 +1227,7 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:746
+#: sssd.conf.5.xml:770
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1205,7 +1236,7 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:777
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1214,20 +1245,20 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:784
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:787
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:766
+#: sssd.conf.5.xml:790
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
@@ -1235,13 +1266,13 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:796
 msgid "access_provider (string)"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:775
+#: sssd.conf.5.xml:799
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -1250,19 +1281,19 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:781
+#: sssd.conf.5.xml:805
 msgid "<quote>permit</quote> always allow access."
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:784
+#: sssd.conf.5.xml:808
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:811
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -1272,19 +1303,19 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:818
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:823
 msgid "chpass_provider (string)"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:826
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
@@ -1292,7 +1323,7 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:831
 msgid ""
 "<quote>ipa</quote> to change a password stored in an IPA server.  See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -1301,7 +1332,7 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:815
+#: sssd.conf.5.xml:839
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -1310,7 +1341,7 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:823
+#: sssd.conf.5.xml:847
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1319,20 +1350,20 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:831
+#: sssd.conf.5.xml:855
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:835
+#: sssd.conf.5.xml:859
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838
+#: sssd.conf.5.xml:862
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
@@ -1340,13 +1371,13 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:845
+#: sssd.conf.5.xml:869
 msgid "lookup_family_order (string)"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:848
+#: sssd.conf.5.xml:872
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
@@ -1354,49 +1385,49 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:876
 msgid "Supported values:"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:855
+#: sssd.conf.5.xml:879
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:858
+#: sssd.conf.5.xml:882
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:861
+#: sssd.conf.5.xml:885
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:864
+#: sssd.conf.5.xml:888
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:867
+#: sssd.conf.5.xml:891
 msgid "Default: ipv4_first"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:873
+#: sssd.conf.5.xml:897
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:876
+#: sssd.conf.5.xml:900
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -1405,13 +1436,13 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:912
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:891
+#: sssd.conf.5.xml:915
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
@@ -1419,22 +1450,22 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:919
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:901
+#: sssd.conf.5.xml:925
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:904
+#: sssd.conf.5.xml:928
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:579
+#: sssd.conf.5.xml:599
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -1443,19 +1474,19 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:940
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:943
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:922
+#: sssd.conf.5.xml:946
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
@@ -1463,13 +1494,13 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:954
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:933
+#: sssd.conf.5.xml:957
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -1477,7 +1508,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:912
+#: sssd.conf.5.xml:936
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
@@ -1485,13 +1516,13 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><title>
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:945
+#: sssd.conf.5.xml:969
 msgid "The local domain section"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:971
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -1500,31 +1531,31 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:954
+#: sssd.conf.5.xml:978
 msgid "default_shell (string)"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:981
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:985
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:966
+#: sssd.conf.5.xml:990
 msgid "base_directory (string)"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:969
+#: sssd.conf.5.xml:993
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
@@ -1532,18 +1563,18 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974
+#: sssd.conf.5.xml:998
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1003
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1006
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
@@ -1551,18 +1582,18 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986 sssd.conf.5.xml:998
+#: sssd.conf.5.xml:1010 sssd.conf.5.xml:1022
 msgid "Default: TRUE"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:991
+#: sssd.conf.5.xml:1015
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:994
+#: sssd.conf.5.xml:1018
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
@@ -1570,13 +1601,13 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1003
+#: sssd.conf.5.xml:1027
 msgid "homedir_umask (integer)"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1030
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -1585,19 +1616,19 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014
+#: sssd.conf.5.xml:1038
 msgid "Default: 077"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1043
 msgid "skel_dir (string)"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1022
+#: sssd.conf.5.xml:1046
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -1607,19 +1638,19 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:1056
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1037
+#: sssd.conf.5.xml:1061
 msgid "mail_dir (string)"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1040
+#: sssd.conf.5.xml:1064
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -1628,19 +1659,19 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1047
+#: sssd.conf.5.xml:1071
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1076
 msgid "userdel_cmd (string)"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1055
+#: sssd.conf.5.xml:1079
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -1649,20 +1680,20 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1061
+#: sssd.conf.5.xml:1085
 msgid "Default: None, no command is run"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><title>
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1071 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
-#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:405
+#: sssd.conf.5.xml:1095 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
+#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:408
 msgid "EXAMPLE"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><programlisting>
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:1077
+#: sssd.conf.5.xml:1101
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -1692,7 +1723,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1073
+#: sssd.conf.5.xml:1097
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -1702,7 +1733,7 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para>
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1108
+#: sssd.conf.5.xml:1132
 msgid ""
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
@@ -1808,10 +1839,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:88
 msgid ""
-"Specifies the list of URIs of the LDAP servers to which SSSD should connect "
-"in the order of preference to change the password of a user. Refer to the "
-"<quote>FAILOVER</quote> section for more information on failover and server "
-"redundancy."
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference to change the password of a user. "
+"Refer to the <quote>FAILOVER</quote> section for more information on "
+"failover and server redundancy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -2362,7 +2393,7 @@ msgstr ""
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:519 sssd-ldap.5.xml:990 sssd-ipa.5.xml:115 sssd.8.xml:64
-#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:266
+#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:269
 msgid "Default: false"
 msgstr ""
 
@@ -2866,7 +2897,7 @@ msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:356
+#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:359
 msgid "Default: not set"
 msgstr ""
 
@@ -3021,16 +3052,16 @@ msgstr ""
 msgid "krb5_server (string)"
 msgstr ""
 
-# type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:1080 sssd-krb5.5.xml:77
 msgid ""
-"Specifies the list of IP addresses or hostnames of the Kerberos servers to "
-"which SSSD should connect in the order of preference. For more information "
-"on failover and server redundancy, see the <quote>FAILOVER</quote> section. "
-"An optional port number (preceded by a colon) may be appended to the "
-"addresses or hostnames.  If empty, service discovery is enabled - for more "
-"information, refer to the <quote>SERVICE DISCOVERY</quote> section."
+"Specifies the comma-separated list of IP addresses or hostnames of the "
+"Kerberos servers to which SSSD should connect in the order of preference. "
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
+"colon) may be appended to the addresses or hostnames.  If empty, service "
+"discovery is enabled - for more information, refer to the <quote>SERVICE "
+"DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -3454,7 +3485,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ldap.5.xml:1407 sssd-simple.5.xml:134 sssd-ipa.5.xml:238
-#: sssd-krb5.5.xml:414
+#: sssd-krb5.5.xml:417
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -3506,11 +3537,11 @@ msgstr ""
 msgid "PAM module for SSSD"
 msgstr ""
 
-# type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
 #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
 #: pam_sss.8.xml:24
 msgid ""
-"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>forward_pass</"
+"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
@@ -3519,22 +3550,32 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para>
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:42
+#: pam_sss.8.xml:45
 msgid ""
 "<command>pam_sss.so</command> is the PAM interface to the System Security "
 "Services daemon (SSSD). Errors and results are logged through <command>syslog"
 "(3)</command> with the LOG_AUTHPRIV facility."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:55
+msgid "<option>quiet</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:58
+msgid "Suppress log messages for unknown users."
+msgstr ""
+
 # type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:52
+#: pam_sss.8.xml:63
 msgid "<option>forward_pass</option>"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:55
+#: pam_sss.8.xml:66
 msgid ""
 "If <option>forward_pass</option> is set the entered password is put on the "
 "stack for other PAM modules to use."
@@ -3542,13 +3583,13 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:62
+#: pam_sss.8.xml:73
 msgid "<option>use_first_pass</option>"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:65
+#: pam_sss.8.xml:76
 msgid ""
 "The argument use_first_pass forces the module to use a previous stacked "
 "modules password and will never prompt the user - if no password is "
@@ -3557,13 +3598,13 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:73
+#: pam_sss.8.xml:84
 msgid "<option>use_authtok</option>"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:76
+#: pam_sss.8.xml:87
 msgid ""
 "When password changing enforce the module to set the new password to the one "
 "provided by a previously stacked password module."
@@ -3571,13 +3612,13 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:83
+#: pam_sss.8.xml:94
 msgid "<option>retry=N</option>"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:86
+#: pam_sss.8.xml:97
 msgid ""
 "If specified the user is asked another N times for a password if "
 "authentication fails. Default is 0."
@@ -3585,7 +3626,7 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:88
+#: pam_sss.8.xml:99
 msgid ""
 "Please note that this option might not work as expected if the application "
 "calling PAM handles the user dialog on its own. A typical example is "
@@ -3594,13 +3635,13 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><title>
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:99
+#: pam_sss.8.xml:110
 msgid "MODULE TYPES PROVIDED"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para>
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:100
+#: pam_sss.8.xml:111
 msgid ""
 "All module types (<option>account</option>, <option>auth</option>, "
 "<option>password</option> and <option>session</option>) are provided."
@@ -3608,13 +3649,13 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><title>
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:106
+#: pam_sss.8.xml:117
 msgid "FILES"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para>
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:107
+#: pam_sss.8.xml:118
 msgid ""
 "If a password reset by root fails, because the corresponding SSSD provider "
 "does not support password resets, an individual message can be displayed. "
@@ -3623,7 +3664,7 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para>
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:112
+#: pam_sss.8.xml:123
 msgid ""
 "The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
 "filename> where LOC stands for a locale string returned by <citerefentry> "
@@ -3636,7 +3677,7 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para>
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:122
+#: pam_sss.8.xml:133
 msgid ""
 "These files are searched in the directory <filename>/etc/sssd/customize/"
 "DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
@@ -3645,7 +3686,7 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para>
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:130
+#: pam_sss.8.xml:141
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>8</"
 "manvolnum> </citerefentry>"
@@ -3923,15 +3964,14 @@ msgstr ""
 msgid "ipa_server (string)"
 msgstr ""
 
-# type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ipa.5.xml:83
 msgid ""
-"The list of IP addresses or hostnames of the IPA servers to which SSSD "
-"should connect in the order of preference. For more information on failover "
-"and server redundancy, see the <quote>FAILOVER</quote> section.  This is "
-"optional if autodiscovery is enabled.  For more information on service "
-"discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
+"The comma-separated list of IP addresses or hostnames of the IPA servers to "
+"which SSSD should connect in the order of preference. For more information "
+"on failover and server redundancy, see the <quote>FAILOVER</quote> section.  "
+"This is optional if autodiscovery is enabled.  For more information on "
+"service discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
@@ -4853,48 +4893,50 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:262
 msgid ""
-"Please note that this feature currently only available on a Linux platform."
+"Please note that this feature currently only available on a Linux platform. "
+"Passwords stored in this way are kept in plaintext in the kernel keyring and "
+"are potentially accessible by the root user (with difficulty)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:272
+#: sssd-krb5.5.xml:275
 msgid "krb5_renewable_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:275
+#: sssd-krb5.5.xml:278
 msgid ""
 "Request a renewable ticket with a total lifetime given by an integer "
 "immediately followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:280 sssd-krb5.5.xml:316
+#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
 msgid "<emphasis>s</emphasis> seconds"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
+#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
 msgid "<emphasis>m</emphasis> minutes"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
+#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
 msgid "<emphasis>h</emphasis> hours"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
+#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
 msgid "<emphasis>d</emphasis> days."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
+#: sssd-krb5.5.xml:295 sssd-krb5.5.xml:331
 msgid "If there is no delimiter <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:296
+#: sssd-krb5.5.xml:299
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "renewable lifetime to one and a half hours please use '90m' instead of "
@@ -4902,97 +4944,97 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:302
+#: sssd-krb5.5.xml:305
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:308
+#: sssd-krb5.5.xml:311
 msgid "krb5_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:311
+#: sssd-krb5.5.xml:314
 msgid ""
 "Request ticket with a with a lifetime given by an integer immediately "
 "followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:332
+#: sssd-krb5.5.xml:335
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "lifetime to one and a half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:337
+#: sssd-krb5.5.xml:340
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:344
+#: sssd-krb5.5.xml:347
 msgid "krb5_renew_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:347
+#: sssd-krb5.5.xml:350
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:352
+#: sssd-krb5.5.xml:355
 msgid "If this option is not set or 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:362
+#: sssd-krb5.5.xml:365
 msgid "krb5_use_fast (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:365
+#: sssd-krb5.5.xml:368
 msgid ""
 "Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
 "authentication. The following options are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:370
+#: sssd-krb5.5.xml:373
 msgid ""
 "<emphasis>never</emphasis> use FAST, this is equivalent to not set this "
 "option at all."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:374
+#: sssd-krb5.5.xml:377
 msgid ""
 "<emphasis>try</emphasis> to use FAST, if the server does not support fast "
 "continue without."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:378
+#: sssd-krb5.5.xml:381
 msgid ""
 "<emphasis>demand</emphasis> to use FAST, fail if the server does not require "
 "fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:382
+#: sssd-krb5.5.xml:385
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:385
+#: sssd-krb5.5.xml:388
 msgid "Please note that a keytab is required to use fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:388
+#: sssd-krb5.5.xml:391
 msgid ""
 "Please note also that sssd supports fast only with MIT Kerberos version 1.8 "
 "and above. If sssd used used with an older version using this option is a "
@@ -5011,7 +5053,7 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para>
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:407
+#: sssd-krb5.5.xml:410
 msgid ""
 "The following example assumes that SSSD is correctly configured and FOO is "
 "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
@@ -5021,7 +5063,7 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><programlisting>
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-krb5.5.xml:415
+#: sssd-krb5.5.xml:418
 #, no-wrap
 msgid ""
 "    [domain/FOO]\n"
@@ -5032,7 +5074,7 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para>
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:426
+#: sssd-krb5.5.xml:429
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
diff --git a/src/man/po/cs_CZ.po b/src/man/po/cs_CZ.po
index 96923f20..19c68496 100644
--- a/src/man/po/cs_CZ.po
+++ b/src/man/po/cs_CZ.po
@@ -2,15 +2,15 @@
 # Copyright (C) YEAR Red Hat
 # This file is distributed under the same license as the sssd-docs package.
 #
+# Translators:
 msgid ""
 msgstr ""
 "Project-Id-Version: SSSD\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2011-08-29 10:42-0300\n"
-"PO-Revision-Date: 2011-08-05 11:39+0000\n"
+"POT-Creation-Date: 2011-10-18 13:34-0300\n"
+"PO-Revision-Date: 2010-12-23 15:35+0000\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
-"Language-Team: Czech (Czech Republic) (http://www.transifex.net/projects/p/"
-"fedora/team/cs_CZ/)\n"
+"Language-Team: LANGUAGE <LL@li.org>\n"
 "Language: cs_CZ\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
@@ -53,7 +53,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:41
+#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:44
 #: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21
 #: sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_useradd.8.xml:30
 #: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30
@@ -69,7 +69,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:39 pam_sss.8.xml:48 sssd.8.xml:42 sss_obfuscate.8.xml:58
+#: sss_groupmod.8.xml:39 pam_sss.8.xml:51 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
 msgid "OPTIONS"
@@ -105,10 +105,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1106 sssd-ldap.5.xml:1432
-#: pam_sss.8.xml:128 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
+#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1130 sssd-ldap.5.xml:1432
+#: pam_sss.8.xml:139 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
 #: sssd-ipa.5.xml:248 sssd.8.xml:166 sss_obfuscate.8.xml:103
-#: sss_useradd.8.xml:167 sssd-krb5.5.xml:424 sss_groupadd.8.xml:58
+#: sss_useradd.8.xml:167 sssd-krb5.5.xml:427 sss_groupadd.8.xml:58
 #: sss_userdel.8.xml:93 sss_groupdel.8.xml:46 sss_groupshow.8.xml:58
 #: sss_usermod.8.xml:138
 msgid "SEE ALSO"
@@ -214,7 +214,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:70 sssd.conf.5.xml:952
+#: sssd.conf.5.xml:70 sssd.conf.5.xml:976
 msgid "Section parameters"
 msgstr ""
 
@@ -247,19 +247,19 @@ msgid "Supported services: nss, pam"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:93 sssd.conf.5.xml:234
+#: sssd.conf.5.xml:93 sssd.conf.5.xml:254
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:96 sssd.conf.5.xml:237
+#: sssd.conf.5.xml:96 sssd.conf.5.xml:257
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:101 sssd.conf.5.xml:242
+#: sssd.conf.5.xml:101 sssd.conf.5.xml:262
 msgid "Default: 3"
 msgstr ""
 
@@ -366,6 +366,32 @@ msgid ""
 "unavailable. On these platforms, polling will always be used."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:189
+msgid "krb5_rcache_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:192
+msgid ""
+"Directory on the filesystem where SSSD should store Kerberos replay cache "
+"files."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:196
+msgid ""
+"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
+"SSSD to let libkrb5 decide the appropriate location for the replay cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:202
+msgid ""
+"Default: Distribution-specific and specified at build-time. "
+"(__LIBKRB5_DEFAULTS__ if not configured)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:63
 msgid ""
@@ -378,12 +404,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:195
+#: sssd.conf.5.xml:215
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:197
+#: sssd.conf.5.xml:217
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -392,55 +418,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:204
+#: sssd.conf.5.xml:224
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:206
+#: sssd.conf.5.xml:226
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:210
+#: sssd.conf.5.xml:230
 msgid "debug_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:213
+#: sssd.conf.5.xml:233
 msgid ""
 "Sets the debug level for the service. The value can be in range from 0 (only "
 "critical messages) to 10 (very verbose)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:218 sssd.conf.5.xml:312
+#: sssd.conf.5.xml:238 sssd.conf.5.xml:332
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:223 sssd.8.xml:58
+#: sssd.conf.5.xml:243 sssd.8.xml:58
 msgid "debug_timestamps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:226 sssd.8.xml:61
+#: sssd.conf.5.xml:246 sssd.8.xml:61
 msgid "Add a timestamp to the debug messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:229 sssd.conf.5.xml:353 sssd-ldap.5.xml:1058
+#: sssd.conf.5.xml:249 sssd.conf.5.xml:373 sssd-ldap.5.xml:1058
 #: sssd-ldap.5.xml:1163 sssd-ipa.5.xml:155
 msgid "Default: true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:247
+#: sssd.conf.5.xml:267
 msgid "command (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:250
+#: sssd.conf.5.xml:270
 msgid ""
 "By default, the executable representing this service is called <command>sssd_"
 "${service_name}</command>.  This directive allows to change the executable "
@@ -449,45 +475,45 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:258
+#: sssd.conf.5.xml:278
 msgid "Default: <command>sssd_${service_name}</command>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:266
+#: sssd.conf.5.xml:286
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:268
+#: sssd.conf.5.xml:288
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:273
+#: sssd.conf.5.xml:293
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:276
+#: sssd.conf.5.xml:296
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:280
+#: sssd.conf.5.xml:300
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:285
+#: sssd.conf.5.xml:305
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:288
+#: sssd.conf.5.xml:308
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -495,7 +521,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:294
+#: sssd.conf.5.xml:314
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -505,7 +531,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304
+#: sssd.conf.5.xml:324
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -514,12 +540,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:317
+#: sssd.conf.5.xml:337
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:320
+#: sssd.conf.5.xml:340
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -527,17 +553,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:326 sssd-krb5.5.xml:223
+#: sssd.conf.5.xml:346 sssd-krb5.5.xml:223
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:331
+#: sssd.conf.5.xml:351
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:334
+#: sssd.conf.5.xml:354
 msgid ""
 "Exclude certain users from being fetched from the sss NSS database. This is "
 "particularly useful for system accounts. This option can also be set per-"
@@ -546,78 +572,78 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:341
+#: sssd.conf.5.xml:361
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:346
+#: sssd.conf.5.xml:366
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:369
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:358
+#: sssd.conf.5.xml:378
 msgid "override_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:367 sssd-krb5.5.xml:166
+#: sssd.conf.5.xml:387 sssd-krb5.5.xml:166
 msgid "%u"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:368 sssd-krb5.5.xml:167
+#: sssd.conf.5.xml:388 sssd-krb5.5.xml:167
 msgid "login name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:371 sssd-krb5.5.xml:170
+#: sssd.conf.5.xml:391 sssd-krb5.5.xml:170
 msgid "%U"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:392
 msgid "UID number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:375 sssd-krb5.5.xml:188
+#: sssd.conf.5.xml:395 sssd-krb5.5.xml:188
 msgid "%d"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:376
+#: sssd.conf.5.xml:396
 msgid "domain name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:379
+#: sssd.conf.5.xml:399
 msgid "%f"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:380
+#: sssd.conf.5.xml:400
 msgid "fully qualified user name (user@domain)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:383 sssd-krb5.5.xml:200
+#: sssd.conf.5.xml:403 sssd-krb5.5.xml:200
 msgid "%%"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:384 sssd-krb5.5.xml:201
+#: sssd.conf.5.xml:404 sssd-krb5.5.xml:201
 msgid "a literal '%'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:361
+#: sssd.conf.5.xml:381
 msgid ""
 "Override the user's home directory. You can either provide an absolute value "
 "or a template. In the template, the following sequences are substituted: "
@@ -625,138 +651,138 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:390
+#: sssd.conf.5.xml:410
 msgid "This option can also be set per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:395
+#: sssd.conf.5.xml:415
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:398
+#: sssd.conf.5.xml:418
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:401
+#: sssd.conf.5.xml:421
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:405
+#: sssd.conf.5.xml:425
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:410
+#: sssd.conf.5.xml:430
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:415
+#: sssd.conf.5.xml:435
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:418
+#: sssd.conf.5.xml:438
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:422
+#: sssd.conf.5.xml:442
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:427
+#: sssd.conf.5.xml:447
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:430
+#: sssd.conf.5.xml:450
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:435
+#: sssd.conf.5.xml:455
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:438
+#: sssd.conf.5.xml:458
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:442
+#: sssd.conf.5.xml:462
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:469
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:451
+#: sssd.conf.5.xml:471
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:456
+#: sssd.conf.5.xml:476
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:459
+#: sssd.conf.5.xml:479
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:464 sssd.conf.5.xml:477
+#: sssd.conf.5.xml:484 sssd.conf.5.xml:497
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:490
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:473
+#: sssd.conf.5.xml:493
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:483
+#: sssd.conf.5.xml:503
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:506
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:491
+#: sssd.conf.5.xml:511
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -764,59 +790,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:497 sssd.conf.5.xml:550 sssd.conf.5.xml:882
+#: sssd.conf.5.xml:517 sssd.conf.5.xml:570 sssd.conf.5.xml:906
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:523
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:506
+#: sssd.conf.5.xml:526
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:511
+#: sssd.conf.5.xml:531
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:514
+#: sssd.conf.5.xml:534
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:517
+#: sssd.conf.5.xml:537
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:541
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:524
+#: sssd.conf.5.xml:544
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:528
+#: sssd.conf.5.xml:548
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:533
+#: sssd.conf.5.xml:553
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:536
+#: sssd.conf.5.xml:556
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -824,7 +850,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:542
+#: sssd.conf.5.xml:562
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -833,17 +859,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:556
+#: sssd.conf.5.xml:576
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:559
+#: sssd.conf.5.xml:579
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:562
+#: sssd.conf.5.xml:582
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -851,29 +877,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:588
 msgid "Default: 7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:577
+#: sssd.conf.5.xml:597
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:584
+#: sssd.conf.5.xml:604
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:587
+#: sssd.conf.5.xml:607
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:592
+#: sssd.conf.5.xml:612
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -882,56 +908,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:599
+#: sssd.conf.5.xml:619
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:625
 msgid "timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:608
+#: sssd.conf.5.xml:628
 msgid ""
 "Timeout in seconds between heartbeats for this domain.  This is used to "
 "ensure that the backend process is alive and capable of answering requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:633
 msgid "Default: 10"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:639
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:642
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:626
+#: sssd.conf.5.xml:646
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:629
+#: sssd.conf.5.xml:649
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:632 sssd.conf.5.xml:680 sssd.conf.5.xml:734
+#: sssd.conf.5.xml:652 sssd.conf.5.xml:704 sssd.conf.5.xml:758
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:635
+#: sssd.conf.5.xml:655
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -941,14 +967,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:645
+#: sssd.conf.5.xml:665
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:650
+#: sssd.conf.5.xml:670
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -957,39 +983,44 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:661
+#: sssd.conf.5.xml:681
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:664
+#: sssd.conf.5.xml:684
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:688
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:693
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676
+#: sssd.conf.5.xml:696
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:700
+msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:685
+#: sssd.conf.5.xml:709
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:688
+#: sssd.conf.5.xml:712
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -998,47 +1029,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:695
+#: sssd.conf.5.xml:719
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:725
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:728
 msgid "The Data Provider identity backend to use for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:708
+#: sssd.conf.5.xml:732
 msgid "Supported backends:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:711
+#: sssd.conf.5.xml:735
 msgid "proxy: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:714
+#: sssd.conf.5.xml:738
 msgid "local: SSSD internal local provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:717
+#: sssd.conf.5.xml:741
 msgid "ldap: LDAP provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:747
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:750
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -1047,19 +1078,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:739
+#: sssd.conf.5.xml:763
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:766
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:746
+#: sssd.conf.5.xml:770
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1067,7 +1098,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:777
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1075,30 +1106,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:784
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:787
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:766
+#: sssd.conf.5.xml:790
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:796
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:775
+#: sssd.conf.5.xml:799
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -1106,17 +1137,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:781
+#: sssd.conf.5.xml:805
 msgid "<quote>permit</quote> always allow access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:784
+#: sssd.conf.5.xml:808
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:811
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -1125,24 +1156,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:818
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:823
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:826
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:831
 msgid ""
 "<quote>ipa</quote> to change a password stored in an IPA server.  See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -1150,7 +1181,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:815
+#: sssd.conf.5.xml:839
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -1158,7 +1189,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:823
+#: sssd.conf.5.xml:847
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1166,72 +1197,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:831
+#: sssd.conf.5.xml:855
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:835
+#: sssd.conf.5.xml:859
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838
+#: sssd.conf.5.xml:862
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:845
+#: sssd.conf.5.xml:869
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:848
+#: sssd.conf.5.xml:872
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:876
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:855
+#: sssd.conf.5.xml:879
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:858
+#: sssd.conf.5.xml:882
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:861
+#: sssd.conf.5.xml:885
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:864
+#: sssd.conf.5.xml:888
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:867
+#: sssd.conf.5.xml:891
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:873
+#: sssd.conf.5.xml:897
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:876
+#: sssd.conf.5.xml:900
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -1239,34 +1270,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:912
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:891
+#: sssd.conf.5.xml:915
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:919
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:901
+#: sssd.conf.5.xml:925
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:904
+#: sssd.conf.5.xml:928
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:579
+#: sssd.conf.5.xml:599
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -1274,29 +1305,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:940
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:943
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:922
+#: sssd.conf.5.xml:946
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:954
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:933
+#: sssd.conf.5.xml:957
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -1304,19 +1335,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:912
+#: sssd.conf.5.xml:936
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:945
+#: sssd.conf.5.xml:969
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:971
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -1324,73 +1355,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:954
+#: sssd.conf.5.xml:978
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:981
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:985
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:966
+#: sssd.conf.5.xml:990
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:969
+#: sssd.conf.5.xml:993
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974
+#: sssd.conf.5.xml:998
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1003
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1006
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986 sssd.conf.5.xml:998
+#: sssd.conf.5.xml:1010 sssd.conf.5.xml:1022
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:991
+#: sssd.conf.5.xml:1015
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:994
+#: sssd.conf.5.xml:1018
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1003
+#: sssd.conf.5.xml:1027
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1030
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -1398,17 +1429,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014
+#: sssd.conf.5.xml:1038
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1043
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1022
+#: sssd.conf.5.xml:1046
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -1417,17 +1448,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:1056
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1037
+#: sssd.conf.5.xml:1061
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1040
+#: sssd.conf.5.xml:1064
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -1435,17 +1466,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1047
+#: sssd.conf.5.xml:1071
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1076
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1055
+#: sssd.conf.5.xml:1079
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -1453,18 +1484,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1061
+#: sssd.conf.5.xml:1085
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1071 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
-#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:405
+#: sssd.conf.5.xml:1095 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
+#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:408
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:1077
+#: sssd.conf.5.xml:1101
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -1494,7 +1525,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1073
+#: sssd.conf.5.xml:1097
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -1503,7 +1534,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1108
+#: sssd.conf.5.xml:1132
 msgid ""
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
@@ -1603,10 +1634,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:88
 msgid ""
-"Specifies the list of URIs of the LDAP servers to which SSSD should connect "
-"in the order of preference to change the password of a user. Refer to the "
-"<quote>FAILOVER</quote> section for more information on failover and server "
-"redundancy."
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference to change the password of a user. "
+"Refer to the <quote>FAILOVER</quote> section for more information on "
+"failover and server redundancy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -2086,7 +2117,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:519 sssd-ldap.5.xml:990 sssd-ipa.5.xml:115 sssd.8.xml:64
-#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:266
+#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:269
 msgid "Default: false"
 msgstr ""
 
@@ -2527,7 +2558,7 @@ msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:356
+#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:359
 msgid "Default: not set"
 msgstr ""
 
@@ -2668,12 +2699,13 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:1080 sssd-krb5.5.xml:77
 msgid ""
-"Specifies the list of IP addresses or hostnames of the Kerberos servers to "
-"which SSSD should connect in the order of preference. For more information "
-"on failover and server redundancy, see the <quote>FAILOVER</quote> section. "
-"An optional port number (preceded by a colon) may be appended to the "
-"addresses or hostnames.  If empty, service discovery is enabled - for more "
-"information, refer to the <quote>SERVICE DISCOVERY</quote> section."
+"Specifies the comma-separated list of IP addresses or hostnames of the "
+"Kerberos servers to which SSSD should connect in the order of preference. "
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
+"colon) may be appended to the addresses or hostnames.  If empty, service "
+"discovery is enabled - for more information, refer to the <quote>SERVICE "
+"DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -3058,7 +3090,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ldap.5.xml:1407 sssd-simple.5.xml:134 sssd-ipa.5.xml:238
-#: sssd-krb5.5.xml:414
+#: sssd-krb5.5.xml:417
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -3105,7 +3137,8 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
 #: pam_sss.8.xml:24
 msgid ""
-"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>forward_pass</"
+"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
@@ -3113,7 +3146,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:42
+#: pam_sss.8.xml:45
 msgid ""
 "<command>pam_sss.so</command> is the PAM interface to the System Security "
 "Services daemon (SSSD). Errors and results are logged through <command>syslog"
@@ -3121,24 +3154,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:52
+#: pam_sss.8.xml:55
+msgid "<option>quiet</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:58
+msgid "Suppress log messages for unknown users."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:63
 msgid "<option>forward_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:55
+#: pam_sss.8.xml:66
 msgid ""
 "If <option>forward_pass</option> is set the entered password is put on the "
 "stack for other PAM modules to use."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:62
+#: pam_sss.8.xml:73
 msgid "<option>use_first_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:65
+#: pam_sss.8.xml:76
 msgid ""
 "The argument use_first_pass forces the module to use a previous stacked "
 "modules password and will never prompt the user - if no password is "
@@ -3146,31 +3189,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:73
+#: pam_sss.8.xml:84
 msgid "<option>use_authtok</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:76
+#: pam_sss.8.xml:87
 msgid ""
 "When password changing enforce the module to set the new password to the one "
 "provided by a previously stacked password module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:83
+#: pam_sss.8.xml:94
 msgid "<option>retry=N</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:86
+#: pam_sss.8.xml:97
 msgid ""
 "If specified the user is asked another N times for a password if "
 "authentication fails. Default is 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:88
+#: pam_sss.8.xml:99
 msgid ""
 "Please note that this option might not work as expected if the application "
 "calling PAM handles the user dialog on its own. A typical example is "
@@ -3178,24 +3221,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:99
+#: pam_sss.8.xml:110
 msgid "MODULE TYPES PROVIDED"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:100
+#: pam_sss.8.xml:111
 msgid ""
 "All module types (<option>account</option>, <option>auth</option>, "
 "<option>password</option> and <option>session</option>) are provided."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:106
+#: pam_sss.8.xml:117
 msgid "FILES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:107
+#: pam_sss.8.xml:118
 msgid ""
 "If a password reset by root fails, because the corresponding SSSD provider "
 "does not support password resets, an individual message can be displayed. "
@@ -3203,7 +3246,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:112
+#: pam_sss.8.xml:123
 msgid ""
 "The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
 "filename> where LOC stands for a locale string returned by <citerefentry> "
@@ -3215,7 +3258,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:122
+#: pam_sss.8.xml:133
 msgid ""
 "These files are searched in the directory <filename>/etc/sssd/customize/"
 "DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
@@ -3223,7 +3266,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:130
+#: pam_sss.8.xml:141
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>8</"
 "manvolnum> </citerefentry>"
@@ -3483,11 +3526,11 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ipa.5.xml:83
 msgid ""
-"The list of IP addresses or hostnames of the IPA servers to which SSSD "
-"should connect in the order of preference. For more information on failover "
-"and server redundancy, see the <quote>FAILOVER</quote> section.  This is "
-"optional if autodiscovery is enabled.  For more information on service "
-"discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
+"The comma-separated list of IP addresses or hostnames of the IPA servers to "
+"which SSSD should connect in the order of preference. For more information "
+"on failover and server redundancy, see the <quote>FAILOVER</quote> section.  "
+"This is optional if autodiscovery is enabled.  For more information on "
+"service discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
@@ -4303,48 +4346,50 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:262
 msgid ""
-"Please note that this feature currently only available on a Linux platform."
+"Please note that this feature currently only available on a Linux platform. "
+"Passwords stored in this way are kept in plaintext in the kernel keyring and "
+"are potentially accessible by the root user (with difficulty)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:272
+#: sssd-krb5.5.xml:275
 msgid "krb5_renewable_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:275
+#: sssd-krb5.5.xml:278
 msgid ""
 "Request a renewable ticket with a total lifetime given by an integer "
 "immediately followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:280 sssd-krb5.5.xml:316
+#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
 msgid "<emphasis>s</emphasis> seconds"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
+#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
 msgid "<emphasis>m</emphasis> minutes"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
+#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
 msgid "<emphasis>h</emphasis> hours"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
+#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
 msgid "<emphasis>d</emphasis> days."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
+#: sssd-krb5.5.xml:295 sssd-krb5.5.xml:331
 msgid "If there is no delimiter <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:296
+#: sssd-krb5.5.xml:299
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "renewable lifetime to one and a half hours please use '90m' instead of "
@@ -4352,97 +4397,97 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:302
+#: sssd-krb5.5.xml:305
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:308
+#: sssd-krb5.5.xml:311
 msgid "krb5_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:311
+#: sssd-krb5.5.xml:314
 msgid ""
 "Request ticket with a with a lifetime given by an integer immediately "
 "followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:332
+#: sssd-krb5.5.xml:335
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "lifetime to one and a half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:337
+#: sssd-krb5.5.xml:340
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:344
+#: sssd-krb5.5.xml:347
 msgid "krb5_renew_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:347
+#: sssd-krb5.5.xml:350
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:352
+#: sssd-krb5.5.xml:355
 msgid "If this option is not set or 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:362
+#: sssd-krb5.5.xml:365
 msgid "krb5_use_fast (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:365
+#: sssd-krb5.5.xml:368
 msgid ""
 "Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
 "authentication. The following options are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:370
+#: sssd-krb5.5.xml:373
 msgid ""
 "<emphasis>never</emphasis> use FAST, this is equivalent to not set this "
 "option at all."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:374
+#: sssd-krb5.5.xml:377
 msgid ""
 "<emphasis>try</emphasis> to use FAST, if the server does not support fast "
 "continue without."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:378
+#: sssd-krb5.5.xml:381
 msgid ""
 "<emphasis>demand</emphasis> to use FAST, fail if the server does not require "
 "fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:382
+#: sssd-krb5.5.xml:385
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:385
+#: sssd-krb5.5.xml:388
 msgid "Please note that a keytab is required to use fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:388
+#: sssd-krb5.5.xml:391
 msgid ""
 "Please note also that sssd supports fast only with MIT Kerberos version 1.8 "
 "and above. If sssd used used with an older version using this option is a "
@@ -4460,7 +4505,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:407
+#: sssd-krb5.5.xml:410
 msgid ""
 "The following example assumes that SSSD is correctly configured and FOO is "
 "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
@@ -4469,7 +4514,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-krb5.5.xml:415
+#: sssd-krb5.5.xml:418
 #, no-wrap
 msgid ""
 "    [domain/FOO]\n"
@@ -4479,7 +4524,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:426
+#: sssd-krb5.5.xml:429
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
diff --git a/src/man/po/da.po b/src/man/po/da.po
index 05e5bc88..acf2ed7e 100644
--- a/src/man/po/da.po
+++ b/src/man/po/da.po
@@ -2,12 +2,13 @@
 # Copyright (C) YEAR Red Hat
 # This file is distributed under the same license as the sssd-docs package.
 #
+# Translators:
 msgid ""
 msgstr ""
 "Project-Id-Version: SSSD\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2011-08-29 10:42-0300\n"
-"PO-Revision-Date: 2011-08-05 11:40+0000\n"
+"POT-Creation-Date: 2011-10-18 13:34-0300\n"
+"PO-Revision-Date: 2010-12-23 15:35+0000\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Danish <dansk@dansk-gruppen.dk>\n"
 "Language: da\n"
@@ -52,7 +53,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:41
+#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:44
 #: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21
 #: sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_useradd.8.xml:30
 #: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30
@@ -68,7 +69,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:39 pam_sss.8.xml:48 sssd.8.xml:42 sss_obfuscate.8.xml:58
+#: sss_groupmod.8.xml:39 pam_sss.8.xml:51 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
 msgid "OPTIONS"
@@ -104,10 +105,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1106 sssd-ldap.5.xml:1432
-#: pam_sss.8.xml:128 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
+#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1130 sssd-ldap.5.xml:1432
+#: pam_sss.8.xml:139 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
 #: sssd-ipa.5.xml:248 sssd.8.xml:166 sss_obfuscate.8.xml:103
-#: sss_useradd.8.xml:167 sssd-krb5.5.xml:424 sss_groupadd.8.xml:58
+#: sss_useradd.8.xml:167 sssd-krb5.5.xml:427 sss_groupadd.8.xml:58
 #: sss_userdel.8.xml:93 sss_groupdel.8.xml:46 sss_groupshow.8.xml:58
 #: sss_usermod.8.xml:138
 msgid "SEE ALSO"
@@ -213,7 +214,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:70 sssd.conf.5.xml:952
+#: sssd.conf.5.xml:70 sssd.conf.5.xml:976
 msgid "Section parameters"
 msgstr ""
 
@@ -246,19 +247,19 @@ msgid "Supported services: nss, pam"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:93 sssd.conf.5.xml:234
+#: sssd.conf.5.xml:93 sssd.conf.5.xml:254
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:96 sssd.conf.5.xml:237
+#: sssd.conf.5.xml:96 sssd.conf.5.xml:257
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:101 sssd.conf.5.xml:242
+#: sssd.conf.5.xml:101 sssd.conf.5.xml:262
 msgid "Default: 3"
 msgstr ""
 
@@ -365,6 +366,32 @@ msgid ""
 "unavailable. On these platforms, polling will always be used."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:189
+msgid "krb5_rcache_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:192
+msgid ""
+"Directory on the filesystem where SSSD should store Kerberos replay cache "
+"files."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:196
+msgid ""
+"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
+"SSSD to let libkrb5 decide the appropriate location for the replay cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:202
+msgid ""
+"Default: Distribution-specific and specified at build-time. "
+"(__LIBKRB5_DEFAULTS__ if not configured)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:63
 msgid ""
@@ -377,12 +404,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:195
+#: sssd.conf.5.xml:215
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:197
+#: sssd.conf.5.xml:217
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -391,55 +418,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:204
+#: sssd.conf.5.xml:224
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:206
+#: sssd.conf.5.xml:226
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:210
+#: sssd.conf.5.xml:230
 msgid "debug_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:213
+#: sssd.conf.5.xml:233
 msgid ""
 "Sets the debug level for the service. The value can be in range from 0 (only "
 "critical messages) to 10 (very verbose)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:218 sssd.conf.5.xml:312
+#: sssd.conf.5.xml:238 sssd.conf.5.xml:332
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:223 sssd.8.xml:58
+#: sssd.conf.5.xml:243 sssd.8.xml:58
 msgid "debug_timestamps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:226 sssd.8.xml:61
+#: sssd.conf.5.xml:246 sssd.8.xml:61
 msgid "Add a timestamp to the debug messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:229 sssd.conf.5.xml:353 sssd-ldap.5.xml:1058
+#: sssd.conf.5.xml:249 sssd.conf.5.xml:373 sssd-ldap.5.xml:1058
 #: sssd-ldap.5.xml:1163 sssd-ipa.5.xml:155
 msgid "Default: true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:247
+#: sssd.conf.5.xml:267
 msgid "command (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:250
+#: sssd.conf.5.xml:270
 msgid ""
 "By default, the executable representing this service is called <command>sssd_"
 "${service_name}</command>.  This directive allows to change the executable "
@@ -448,45 +475,45 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:258
+#: sssd.conf.5.xml:278
 msgid "Default: <command>sssd_${service_name}</command>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:266
+#: sssd.conf.5.xml:286
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:268
+#: sssd.conf.5.xml:288
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:273
+#: sssd.conf.5.xml:293
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:276
+#: sssd.conf.5.xml:296
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:280
+#: sssd.conf.5.xml:300
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:285
+#: sssd.conf.5.xml:305
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:288
+#: sssd.conf.5.xml:308
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -494,7 +521,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:294
+#: sssd.conf.5.xml:314
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -504,7 +531,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304
+#: sssd.conf.5.xml:324
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -513,12 +540,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:317
+#: sssd.conf.5.xml:337
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:320
+#: sssd.conf.5.xml:340
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -526,17 +553,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:326 sssd-krb5.5.xml:223
+#: sssd.conf.5.xml:346 sssd-krb5.5.xml:223
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:331
+#: sssd.conf.5.xml:351
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:334
+#: sssd.conf.5.xml:354
 msgid ""
 "Exclude certain users from being fetched from the sss NSS database. This is "
 "particularly useful for system accounts. This option can also be set per-"
@@ -545,78 +572,78 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:341
+#: sssd.conf.5.xml:361
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:346
+#: sssd.conf.5.xml:366
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:369
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:358
+#: sssd.conf.5.xml:378
 msgid "override_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:367 sssd-krb5.5.xml:166
+#: sssd.conf.5.xml:387 sssd-krb5.5.xml:166
 msgid "%u"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:368 sssd-krb5.5.xml:167
+#: sssd.conf.5.xml:388 sssd-krb5.5.xml:167
 msgid "login name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:371 sssd-krb5.5.xml:170
+#: sssd.conf.5.xml:391 sssd-krb5.5.xml:170
 msgid "%U"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:392
 msgid "UID number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:375 sssd-krb5.5.xml:188
+#: sssd.conf.5.xml:395 sssd-krb5.5.xml:188
 msgid "%d"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:376
+#: sssd.conf.5.xml:396
 msgid "domain name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:379
+#: sssd.conf.5.xml:399
 msgid "%f"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:380
+#: sssd.conf.5.xml:400
 msgid "fully qualified user name (user@domain)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:383 sssd-krb5.5.xml:200
+#: sssd.conf.5.xml:403 sssd-krb5.5.xml:200
 msgid "%%"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:384 sssd-krb5.5.xml:201
+#: sssd.conf.5.xml:404 sssd-krb5.5.xml:201
 msgid "a literal '%'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:361
+#: sssd.conf.5.xml:381
 msgid ""
 "Override the user's home directory. You can either provide an absolute value "
 "or a template. In the template, the following sequences are substituted: "
@@ -624,138 +651,138 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:390
+#: sssd.conf.5.xml:410
 msgid "This option can also be set per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:395
+#: sssd.conf.5.xml:415
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:398
+#: sssd.conf.5.xml:418
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:401
+#: sssd.conf.5.xml:421
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:405
+#: sssd.conf.5.xml:425
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:410
+#: sssd.conf.5.xml:430
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:415
+#: sssd.conf.5.xml:435
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:418
+#: sssd.conf.5.xml:438
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:422
+#: sssd.conf.5.xml:442
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:427
+#: sssd.conf.5.xml:447
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:430
+#: sssd.conf.5.xml:450
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:435
+#: sssd.conf.5.xml:455
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:438
+#: sssd.conf.5.xml:458
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:442
+#: sssd.conf.5.xml:462
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:469
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:451
+#: sssd.conf.5.xml:471
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:456
+#: sssd.conf.5.xml:476
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:459
+#: sssd.conf.5.xml:479
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:464 sssd.conf.5.xml:477
+#: sssd.conf.5.xml:484 sssd.conf.5.xml:497
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:490
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:473
+#: sssd.conf.5.xml:493
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:483
+#: sssd.conf.5.xml:503
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:506
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:491
+#: sssd.conf.5.xml:511
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -763,59 +790,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:497 sssd.conf.5.xml:550 sssd.conf.5.xml:882
+#: sssd.conf.5.xml:517 sssd.conf.5.xml:570 sssd.conf.5.xml:906
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:523
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:506
+#: sssd.conf.5.xml:526
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:511
+#: sssd.conf.5.xml:531
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:514
+#: sssd.conf.5.xml:534
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:517
+#: sssd.conf.5.xml:537
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:541
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:524
+#: sssd.conf.5.xml:544
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:528
+#: sssd.conf.5.xml:548
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:533
+#: sssd.conf.5.xml:553
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:536
+#: sssd.conf.5.xml:556
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -823,7 +850,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:542
+#: sssd.conf.5.xml:562
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -832,17 +859,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:556
+#: sssd.conf.5.xml:576
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:559
+#: sssd.conf.5.xml:579
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:562
+#: sssd.conf.5.xml:582
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -850,29 +877,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:588
 msgid "Default: 7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:577
+#: sssd.conf.5.xml:597
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:584
+#: sssd.conf.5.xml:604
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:587
+#: sssd.conf.5.xml:607
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:592
+#: sssd.conf.5.xml:612
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -881,56 +908,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:599
+#: sssd.conf.5.xml:619
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:625
 msgid "timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:608
+#: sssd.conf.5.xml:628
 msgid ""
 "Timeout in seconds between heartbeats for this domain.  This is used to "
 "ensure that the backend process is alive and capable of answering requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:633
 msgid "Default: 10"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:639
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:642
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:626
+#: sssd.conf.5.xml:646
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:629
+#: sssd.conf.5.xml:649
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:632 sssd.conf.5.xml:680 sssd.conf.5.xml:734
+#: sssd.conf.5.xml:652 sssd.conf.5.xml:704 sssd.conf.5.xml:758
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:635
+#: sssd.conf.5.xml:655
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -940,14 +967,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:645
+#: sssd.conf.5.xml:665
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:650
+#: sssd.conf.5.xml:670
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -956,39 +983,44 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:661
+#: sssd.conf.5.xml:681
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:664
+#: sssd.conf.5.xml:684
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:688
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:693
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676
+#: sssd.conf.5.xml:696
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:700
+msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:685
+#: sssd.conf.5.xml:709
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:688
+#: sssd.conf.5.xml:712
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -997,47 +1029,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:695
+#: sssd.conf.5.xml:719
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:725
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:728
 msgid "The Data Provider identity backend to use for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:708
+#: sssd.conf.5.xml:732
 msgid "Supported backends:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:711
+#: sssd.conf.5.xml:735
 msgid "proxy: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:714
+#: sssd.conf.5.xml:738
 msgid "local: SSSD internal local provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:717
+#: sssd.conf.5.xml:741
 msgid "ldap: LDAP provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:747
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:750
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -1046,19 +1078,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:739
+#: sssd.conf.5.xml:763
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:766
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:746
+#: sssd.conf.5.xml:770
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1066,7 +1098,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:777
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1074,30 +1106,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:784
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:787
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:766
+#: sssd.conf.5.xml:790
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:796
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:775
+#: sssd.conf.5.xml:799
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -1105,17 +1137,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:781
+#: sssd.conf.5.xml:805
 msgid "<quote>permit</quote> always allow access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:784
+#: sssd.conf.5.xml:808
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:811
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -1124,24 +1156,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:818
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:823
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:826
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:831
 msgid ""
 "<quote>ipa</quote> to change a password stored in an IPA server.  See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -1149,7 +1181,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:815
+#: sssd.conf.5.xml:839
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -1157,7 +1189,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:823
+#: sssd.conf.5.xml:847
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1165,72 +1197,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:831
+#: sssd.conf.5.xml:855
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:835
+#: sssd.conf.5.xml:859
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838
+#: sssd.conf.5.xml:862
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:845
+#: sssd.conf.5.xml:869
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:848
+#: sssd.conf.5.xml:872
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:876
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:855
+#: sssd.conf.5.xml:879
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:858
+#: sssd.conf.5.xml:882
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:861
+#: sssd.conf.5.xml:885
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:864
+#: sssd.conf.5.xml:888
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:867
+#: sssd.conf.5.xml:891
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:873
+#: sssd.conf.5.xml:897
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:876
+#: sssd.conf.5.xml:900
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -1238,34 +1270,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:912
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:891
+#: sssd.conf.5.xml:915
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:919
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:901
+#: sssd.conf.5.xml:925
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:904
+#: sssd.conf.5.xml:928
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:579
+#: sssd.conf.5.xml:599
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -1273,29 +1305,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:940
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:943
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:922
+#: sssd.conf.5.xml:946
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:954
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:933
+#: sssd.conf.5.xml:957
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -1303,19 +1335,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:912
+#: sssd.conf.5.xml:936
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:945
+#: sssd.conf.5.xml:969
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:971
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -1323,73 +1355,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:954
+#: sssd.conf.5.xml:978
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:981
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:985
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:966
+#: sssd.conf.5.xml:990
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:969
+#: sssd.conf.5.xml:993
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974
+#: sssd.conf.5.xml:998
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1003
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1006
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986 sssd.conf.5.xml:998
+#: sssd.conf.5.xml:1010 sssd.conf.5.xml:1022
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:991
+#: sssd.conf.5.xml:1015
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:994
+#: sssd.conf.5.xml:1018
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1003
+#: sssd.conf.5.xml:1027
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1030
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -1397,17 +1429,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014
+#: sssd.conf.5.xml:1038
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1043
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1022
+#: sssd.conf.5.xml:1046
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -1416,17 +1448,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:1056
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1037
+#: sssd.conf.5.xml:1061
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1040
+#: sssd.conf.5.xml:1064
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -1434,17 +1466,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1047
+#: sssd.conf.5.xml:1071
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1076
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1055
+#: sssd.conf.5.xml:1079
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -1452,18 +1484,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1061
+#: sssd.conf.5.xml:1085
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1071 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
-#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:405
+#: sssd.conf.5.xml:1095 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
+#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:408
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:1077
+#: sssd.conf.5.xml:1101
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -1493,7 +1525,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1073
+#: sssd.conf.5.xml:1097
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -1502,7 +1534,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1108
+#: sssd.conf.5.xml:1132
 msgid ""
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
@@ -1602,10 +1634,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:88
 msgid ""
-"Specifies the list of URIs of the LDAP servers to which SSSD should connect "
-"in the order of preference to change the password of a user. Refer to the "
-"<quote>FAILOVER</quote> section for more information on failover and server "
-"redundancy."
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference to change the password of a user. "
+"Refer to the <quote>FAILOVER</quote> section for more information on "
+"failover and server redundancy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -2085,7 +2117,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:519 sssd-ldap.5.xml:990 sssd-ipa.5.xml:115 sssd.8.xml:64
-#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:266
+#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:269
 msgid "Default: false"
 msgstr ""
 
@@ -2526,7 +2558,7 @@ msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:356
+#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:359
 msgid "Default: not set"
 msgstr ""
 
@@ -2667,12 +2699,13 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:1080 sssd-krb5.5.xml:77
 msgid ""
-"Specifies the list of IP addresses or hostnames of the Kerberos servers to "
-"which SSSD should connect in the order of preference. For more information "
-"on failover and server redundancy, see the <quote>FAILOVER</quote> section. "
-"An optional port number (preceded by a colon) may be appended to the "
-"addresses or hostnames.  If empty, service discovery is enabled - for more "
-"information, refer to the <quote>SERVICE DISCOVERY</quote> section."
+"Specifies the comma-separated list of IP addresses or hostnames of the "
+"Kerberos servers to which SSSD should connect in the order of preference. "
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
+"colon) may be appended to the addresses or hostnames.  If empty, service "
+"discovery is enabled - for more information, refer to the <quote>SERVICE "
+"DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -3057,7 +3090,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ldap.5.xml:1407 sssd-simple.5.xml:134 sssd-ipa.5.xml:238
-#: sssd-krb5.5.xml:414
+#: sssd-krb5.5.xml:417
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -3104,7 +3137,8 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
 #: pam_sss.8.xml:24
 msgid ""
-"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>forward_pass</"
+"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
@@ -3112,7 +3146,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:42
+#: pam_sss.8.xml:45
 msgid ""
 "<command>pam_sss.so</command> is the PAM interface to the System Security "
 "Services daemon (SSSD). Errors and results are logged through <command>syslog"
@@ -3120,24 +3154,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:52
+#: pam_sss.8.xml:55
+msgid "<option>quiet</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:58
+msgid "Suppress log messages for unknown users."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:63
 msgid "<option>forward_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:55
+#: pam_sss.8.xml:66
 msgid ""
 "If <option>forward_pass</option> is set the entered password is put on the "
 "stack for other PAM modules to use."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:62
+#: pam_sss.8.xml:73
 msgid "<option>use_first_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:65
+#: pam_sss.8.xml:76
 msgid ""
 "The argument use_first_pass forces the module to use a previous stacked "
 "modules password and will never prompt the user - if no password is "
@@ -3145,31 +3189,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:73
+#: pam_sss.8.xml:84
 msgid "<option>use_authtok</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:76
+#: pam_sss.8.xml:87
 msgid ""
 "When password changing enforce the module to set the new password to the one "
 "provided by a previously stacked password module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:83
+#: pam_sss.8.xml:94
 msgid "<option>retry=N</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:86
+#: pam_sss.8.xml:97
 msgid ""
 "If specified the user is asked another N times for a password if "
 "authentication fails. Default is 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:88
+#: pam_sss.8.xml:99
 msgid ""
 "Please note that this option might not work as expected if the application "
 "calling PAM handles the user dialog on its own. A typical example is "
@@ -3177,24 +3221,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:99
+#: pam_sss.8.xml:110
 msgid "MODULE TYPES PROVIDED"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:100
+#: pam_sss.8.xml:111
 msgid ""
 "All module types (<option>account</option>, <option>auth</option>, "
 "<option>password</option> and <option>session</option>) are provided."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:106
+#: pam_sss.8.xml:117
 msgid "FILES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:107
+#: pam_sss.8.xml:118
 msgid ""
 "If a password reset by root fails, because the corresponding SSSD provider "
 "does not support password resets, an individual message can be displayed. "
@@ -3202,7 +3246,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:112
+#: pam_sss.8.xml:123
 msgid ""
 "The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
 "filename> where LOC stands for a locale string returned by <citerefentry> "
@@ -3214,7 +3258,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:122
+#: pam_sss.8.xml:133
 msgid ""
 "These files are searched in the directory <filename>/etc/sssd/customize/"
 "DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
@@ -3222,7 +3266,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:130
+#: pam_sss.8.xml:141
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>8</"
 "manvolnum> </citerefentry>"
@@ -3482,11 +3526,11 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ipa.5.xml:83
 msgid ""
-"The list of IP addresses or hostnames of the IPA servers to which SSSD "
-"should connect in the order of preference. For more information on failover "
-"and server redundancy, see the <quote>FAILOVER</quote> section.  This is "
-"optional if autodiscovery is enabled.  For more information on service "
-"discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
+"The comma-separated list of IP addresses or hostnames of the IPA servers to "
+"which SSSD should connect in the order of preference. For more information "
+"on failover and server redundancy, see the <quote>FAILOVER</quote> section.  "
+"This is optional if autodiscovery is enabled.  For more information on "
+"service discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
@@ -4302,48 +4346,50 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:262
 msgid ""
-"Please note that this feature currently only available on a Linux platform."
+"Please note that this feature currently only available on a Linux platform. "
+"Passwords stored in this way are kept in plaintext in the kernel keyring and "
+"are potentially accessible by the root user (with difficulty)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:272
+#: sssd-krb5.5.xml:275
 msgid "krb5_renewable_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:275
+#: sssd-krb5.5.xml:278
 msgid ""
 "Request a renewable ticket with a total lifetime given by an integer "
 "immediately followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:280 sssd-krb5.5.xml:316
+#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
 msgid "<emphasis>s</emphasis> seconds"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
+#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
 msgid "<emphasis>m</emphasis> minutes"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
+#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
 msgid "<emphasis>h</emphasis> hours"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
+#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
 msgid "<emphasis>d</emphasis> days."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
+#: sssd-krb5.5.xml:295 sssd-krb5.5.xml:331
 msgid "If there is no delimiter <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:296
+#: sssd-krb5.5.xml:299
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "renewable lifetime to one and a half hours please use '90m' instead of "
@@ -4351,97 +4397,97 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:302
+#: sssd-krb5.5.xml:305
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:308
+#: sssd-krb5.5.xml:311
 msgid "krb5_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:311
+#: sssd-krb5.5.xml:314
 msgid ""
 "Request ticket with a with a lifetime given by an integer immediately "
 "followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:332
+#: sssd-krb5.5.xml:335
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "lifetime to one and a half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:337
+#: sssd-krb5.5.xml:340
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:344
+#: sssd-krb5.5.xml:347
 msgid "krb5_renew_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:347
+#: sssd-krb5.5.xml:350
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:352
+#: sssd-krb5.5.xml:355
 msgid "If this option is not set or 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:362
+#: sssd-krb5.5.xml:365
 msgid "krb5_use_fast (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:365
+#: sssd-krb5.5.xml:368
 msgid ""
 "Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
 "authentication. The following options are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:370
+#: sssd-krb5.5.xml:373
 msgid ""
 "<emphasis>never</emphasis> use FAST, this is equivalent to not set this "
 "option at all."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:374
+#: sssd-krb5.5.xml:377
 msgid ""
 "<emphasis>try</emphasis> to use FAST, if the server does not support fast "
 "continue without."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:378
+#: sssd-krb5.5.xml:381
 msgid ""
 "<emphasis>demand</emphasis> to use FAST, fail if the server does not require "
 "fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:382
+#: sssd-krb5.5.xml:385
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:385
+#: sssd-krb5.5.xml:388
 msgid "Please note that a keytab is required to use fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:388
+#: sssd-krb5.5.xml:391
 msgid ""
 "Please note also that sssd supports fast only with MIT Kerberos version 1.8 "
 "and above. If sssd used used with an older version using this option is a "
@@ -4459,7 +4505,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:407
+#: sssd-krb5.5.xml:410
 msgid ""
 "The following example assumes that SSSD is correctly configured and FOO is "
 "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
@@ -4468,7 +4514,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-krb5.5.xml:415
+#: sssd-krb5.5.xml:418
 #, no-wrap
 msgid ""
 "    [domain/FOO]\n"
@@ -4478,7 +4524,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:426
+#: sssd-krb5.5.xml:429
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
diff --git a/src/man/po/de.po b/src/man/po/de.po
index 785d630b..5cd0e218 100644
--- a/src/man/po/de.po
+++ b/src/man/po/de.po
@@ -6,7 +6,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: SSSD\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2011-08-29 10:42-0300\n"
+"POT-Creation-Date: 2011-10-18 13:34-0300\n"
 "PO-Revision-Date: 2011-05-27 20:03+0000\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: German <trans-de@lists.fedoraproject.org>\n"
@@ -52,7 +52,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:41
+#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:44
 #: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21
 #: sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_useradd.8.xml:30
 #: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30
@@ -68,7 +68,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:39 pam_sss.8.xml:48 sssd.8.xml:42 sss_obfuscate.8.xml:58
+#: sss_groupmod.8.xml:39 pam_sss.8.xml:51 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
 msgid "OPTIONS"
@@ -104,10 +104,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1106 sssd-ldap.5.xml:1432
-#: pam_sss.8.xml:128 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
+#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1130 sssd-ldap.5.xml:1432
+#: pam_sss.8.xml:139 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
 #: sssd-ipa.5.xml:248 sssd.8.xml:166 sss_obfuscate.8.xml:103
-#: sss_useradd.8.xml:167 sssd-krb5.5.xml:424 sss_groupadd.8.xml:58
+#: sss_useradd.8.xml:167 sssd-krb5.5.xml:427 sss_groupadd.8.xml:58
 #: sss_userdel.8.xml:93 sss_groupdel.8.xml:46 sss_groupshow.8.xml:58
 #: sss_usermod.8.xml:138
 msgid "SEE ALSO"
@@ -213,7 +213,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:70 sssd.conf.5.xml:952
+#: sssd.conf.5.xml:70 sssd.conf.5.xml:976
 msgid "Section parameters"
 msgstr ""
 
@@ -246,19 +246,19 @@ msgid "Supported services: nss, pam"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:93 sssd.conf.5.xml:234
+#: sssd.conf.5.xml:93 sssd.conf.5.xml:254
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:96 sssd.conf.5.xml:237
+#: sssd.conf.5.xml:96 sssd.conf.5.xml:257
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:101 sssd.conf.5.xml:242
+#: sssd.conf.5.xml:101 sssd.conf.5.xml:262
 msgid "Default: 3"
 msgstr ""
 
@@ -365,6 +365,32 @@ msgid ""
 "unavailable. On these platforms, polling will always be used."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:189
+msgid "krb5_rcache_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:192
+msgid ""
+"Directory on the filesystem where SSSD should store Kerberos replay cache "
+"files."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:196
+msgid ""
+"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
+"SSSD to let libkrb5 decide the appropriate location for the replay cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:202
+msgid ""
+"Default: Distribution-specific and specified at build-time. "
+"(__LIBKRB5_DEFAULTS__ if not configured)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:63
 msgid ""
@@ -377,12 +403,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:195
+#: sssd.conf.5.xml:215
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:197
+#: sssd.conf.5.xml:217
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -391,55 +417,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:204
+#: sssd.conf.5.xml:224
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:206
+#: sssd.conf.5.xml:226
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:210
+#: sssd.conf.5.xml:230
 msgid "debug_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:213
+#: sssd.conf.5.xml:233
 msgid ""
 "Sets the debug level for the service. The value can be in range from 0 (only "
 "critical messages) to 10 (very verbose)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:218 sssd.conf.5.xml:312
+#: sssd.conf.5.xml:238 sssd.conf.5.xml:332
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:223 sssd.8.xml:58
+#: sssd.conf.5.xml:243 sssd.8.xml:58
 msgid "debug_timestamps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:226 sssd.8.xml:61
+#: sssd.conf.5.xml:246 sssd.8.xml:61
 msgid "Add a timestamp to the debug messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:229 sssd.conf.5.xml:353 sssd-ldap.5.xml:1058
+#: sssd.conf.5.xml:249 sssd.conf.5.xml:373 sssd-ldap.5.xml:1058
 #: sssd-ldap.5.xml:1163 sssd-ipa.5.xml:155
 msgid "Default: true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:247
+#: sssd.conf.5.xml:267
 msgid "command (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:250
+#: sssd.conf.5.xml:270
 msgid ""
 "By default, the executable representing this service is called <command>sssd_"
 "${service_name}</command>.  This directive allows to change the executable "
@@ -448,45 +474,45 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:258
+#: sssd.conf.5.xml:278
 msgid "Default: <command>sssd_${service_name}</command>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:266
+#: sssd.conf.5.xml:286
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:268
+#: sssd.conf.5.xml:288
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:273
+#: sssd.conf.5.xml:293
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:276
+#: sssd.conf.5.xml:296
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:280
+#: sssd.conf.5.xml:300
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:285
+#: sssd.conf.5.xml:305
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:288
+#: sssd.conf.5.xml:308
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -494,7 +520,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:294
+#: sssd.conf.5.xml:314
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -504,7 +530,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304
+#: sssd.conf.5.xml:324
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -513,12 +539,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:317
+#: sssd.conf.5.xml:337
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:320
+#: sssd.conf.5.xml:340
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -526,17 +552,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:326 sssd-krb5.5.xml:223
+#: sssd.conf.5.xml:346 sssd-krb5.5.xml:223
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:331
+#: sssd.conf.5.xml:351
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:334
+#: sssd.conf.5.xml:354
 msgid ""
 "Exclude certain users from being fetched from the sss NSS database. This is "
 "particularly useful for system accounts. This option can also be set per-"
@@ -545,78 +571,78 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:341
+#: sssd.conf.5.xml:361
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:346
+#: sssd.conf.5.xml:366
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:369
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:358
+#: sssd.conf.5.xml:378
 msgid "override_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:367 sssd-krb5.5.xml:166
+#: sssd.conf.5.xml:387 sssd-krb5.5.xml:166
 msgid "%u"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:368 sssd-krb5.5.xml:167
+#: sssd.conf.5.xml:388 sssd-krb5.5.xml:167
 msgid "login name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:371 sssd-krb5.5.xml:170
+#: sssd.conf.5.xml:391 sssd-krb5.5.xml:170
 msgid "%U"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:392
 msgid "UID number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:375 sssd-krb5.5.xml:188
+#: sssd.conf.5.xml:395 sssd-krb5.5.xml:188
 msgid "%d"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:376
+#: sssd.conf.5.xml:396
 msgid "domain name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:379
+#: sssd.conf.5.xml:399
 msgid "%f"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:380
+#: sssd.conf.5.xml:400
 msgid "fully qualified user name (user@domain)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:383 sssd-krb5.5.xml:200
+#: sssd.conf.5.xml:403 sssd-krb5.5.xml:200
 msgid "%%"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:384 sssd-krb5.5.xml:201
+#: sssd.conf.5.xml:404 sssd-krb5.5.xml:201
 msgid "a literal '%'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:361
+#: sssd.conf.5.xml:381
 msgid ""
 "Override the user's home directory. You can either provide an absolute value "
 "or a template. In the template, the following sequences are substituted: "
@@ -624,138 +650,138 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:390
+#: sssd.conf.5.xml:410
 msgid "This option can also be set per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:395
+#: sssd.conf.5.xml:415
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:398
+#: sssd.conf.5.xml:418
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:401
+#: sssd.conf.5.xml:421
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:405
+#: sssd.conf.5.xml:425
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:410
+#: sssd.conf.5.xml:430
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:415
+#: sssd.conf.5.xml:435
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:418
+#: sssd.conf.5.xml:438
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:422
+#: sssd.conf.5.xml:442
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:427
+#: sssd.conf.5.xml:447
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:430
+#: sssd.conf.5.xml:450
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:435
+#: sssd.conf.5.xml:455
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:438
+#: sssd.conf.5.xml:458
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:442
+#: sssd.conf.5.xml:462
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:469
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:451
+#: sssd.conf.5.xml:471
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:456
+#: sssd.conf.5.xml:476
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:459
+#: sssd.conf.5.xml:479
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:464 sssd.conf.5.xml:477
+#: sssd.conf.5.xml:484 sssd.conf.5.xml:497
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:490
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:473
+#: sssd.conf.5.xml:493
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:483
+#: sssd.conf.5.xml:503
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:506
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:491
+#: sssd.conf.5.xml:511
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -763,59 +789,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:497 sssd.conf.5.xml:550 sssd.conf.5.xml:882
+#: sssd.conf.5.xml:517 sssd.conf.5.xml:570 sssd.conf.5.xml:906
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:523
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:506
+#: sssd.conf.5.xml:526
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:511
+#: sssd.conf.5.xml:531
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:514
+#: sssd.conf.5.xml:534
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:517
+#: sssd.conf.5.xml:537
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:541
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:524
+#: sssd.conf.5.xml:544
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:528
+#: sssd.conf.5.xml:548
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:533
+#: sssd.conf.5.xml:553
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:536
+#: sssd.conf.5.xml:556
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -823,7 +849,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:542
+#: sssd.conf.5.xml:562
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -832,17 +858,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:556
+#: sssd.conf.5.xml:576
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:559
+#: sssd.conf.5.xml:579
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:562
+#: sssd.conf.5.xml:582
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -850,29 +876,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:588
 msgid "Default: 7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:577
+#: sssd.conf.5.xml:597
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:584
+#: sssd.conf.5.xml:604
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:587
+#: sssd.conf.5.xml:607
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:592
+#: sssd.conf.5.xml:612
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -881,56 +907,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:599
+#: sssd.conf.5.xml:619
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:625
 msgid "timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:608
+#: sssd.conf.5.xml:628
 msgid ""
 "Timeout in seconds between heartbeats for this domain.  This is used to "
 "ensure that the backend process is alive and capable of answering requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:633
 msgid "Default: 10"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:639
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:642
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:626
+#: sssd.conf.5.xml:646
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:629
+#: sssd.conf.5.xml:649
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:632 sssd.conf.5.xml:680 sssd.conf.5.xml:734
+#: sssd.conf.5.xml:652 sssd.conf.5.xml:704 sssd.conf.5.xml:758
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:635
+#: sssd.conf.5.xml:655
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -940,14 +966,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:645
+#: sssd.conf.5.xml:665
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:650
+#: sssd.conf.5.xml:670
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -956,39 +982,44 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:661
+#: sssd.conf.5.xml:681
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:664
+#: sssd.conf.5.xml:684
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:688
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:693
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676
+#: sssd.conf.5.xml:696
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:700
+msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:685
+#: sssd.conf.5.xml:709
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:688
+#: sssd.conf.5.xml:712
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -997,47 +1028,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:695
+#: sssd.conf.5.xml:719
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:725
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:728
 msgid "The Data Provider identity backend to use for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:708
+#: sssd.conf.5.xml:732
 msgid "Supported backends:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:711
+#: sssd.conf.5.xml:735
 msgid "proxy: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:714
+#: sssd.conf.5.xml:738
 msgid "local: SSSD internal local provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:717
+#: sssd.conf.5.xml:741
 msgid "ldap: LDAP provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:747
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:750
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -1046,19 +1077,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:739
+#: sssd.conf.5.xml:763
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:766
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:746
+#: sssd.conf.5.xml:770
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1066,7 +1097,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:777
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1074,30 +1105,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:784
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:787
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:766
+#: sssd.conf.5.xml:790
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:796
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:775
+#: sssd.conf.5.xml:799
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -1105,17 +1136,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:781
+#: sssd.conf.5.xml:805
 msgid "<quote>permit</quote> always allow access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:784
+#: sssd.conf.5.xml:808
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:811
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -1124,24 +1155,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:818
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:823
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:826
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:831
 msgid ""
 "<quote>ipa</quote> to change a password stored in an IPA server.  See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -1149,7 +1180,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:815
+#: sssd.conf.5.xml:839
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -1157,7 +1188,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:823
+#: sssd.conf.5.xml:847
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1165,72 +1196,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:831
+#: sssd.conf.5.xml:855
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:835
+#: sssd.conf.5.xml:859
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838
+#: sssd.conf.5.xml:862
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:845
+#: sssd.conf.5.xml:869
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:848
+#: sssd.conf.5.xml:872
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:876
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:855
+#: sssd.conf.5.xml:879
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:858
+#: sssd.conf.5.xml:882
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:861
+#: sssd.conf.5.xml:885
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:864
+#: sssd.conf.5.xml:888
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:867
+#: sssd.conf.5.xml:891
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:873
+#: sssd.conf.5.xml:897
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:876
+#: sssd.conf.5.xml:900
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -1238,34 +1269,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:912
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:891
+#: sssd.conf.5.xml:915
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:919
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:901
+#: sssd.conf.5.xml:925
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:904
+#: sssd.conf.5.xml:928
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:579
+#: sssd.conf.5.xml:599
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -1273,29 +1304,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:940
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:943
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:922
+#: sssd.conf.5.xml:946
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:954
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:933
+#: sssd.conf.5.xml:957
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -1303,19 +1334,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:912
+#: sssd.conf.5.xml:936
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:945
+#: sssd.conf.5.xml:969
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:971
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -1323,73 +1354,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:954
+#: sssd.conf.5.xml:978
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:981
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:985
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:966
+#: sssd.conf.5.xml:990
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:969
+#: sssd.conf.5.xml:993
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974
+#: sssd.conf.5.xml:998
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1003
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1006
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986 sssd.conf.5.xml:998
+#: sssd.conf.5.xml:1010 sssd.conf.5.xml:1022
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:991
+#: sssd.conf.5.xml:1015
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:994
+#: sssd.conf.5.xml:1018
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1003
+#: sssd.conf.5.xml:1027
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1030
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -1397,17 +1428,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014
+#: sssd.conf.5.xml:1038
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1043
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1022
+#: sssd.conf.5.xml:1046
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -1416,17 +1447,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:1056
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1037
+#: sssd.conf.5.xml:1061
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1040
+#: sssd.conf.5.xml:1064
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -1434,17 +1465,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1047
+#: sssd.conf.5.xml:1071
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1076
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1055
+#: sssd.conf.5.xml:1079
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -1452,18 +1483,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1061
+#: sssd.conf.5.xml:1085
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1071 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
-#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:405
+#: sssd.conf.5.xml:1095 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
+#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:408
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:1077
+#: sssd.conf.5.xml:1101
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -1493,7 +1524,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1073
+#: sssd.conf.5.xml:1097
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -1502,7 +1533,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1108
+#: sssd.conf.5.xml:1132
 msgid ""
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
@@ -1602,10 +1633,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:88
 msgid ""
-"Specifies the list of URIs of the LDAP servers to which SSSD should connect "
-"in the order of preference to change the password of a user. Refer to the "
-"<quote>FAILOVER</quote> section for more information on failover and server "
-"redundancy."
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference to change the password of a user. "
+"Refer to the <quote>FAILOVER</quote> section for more information on "
+"failover and server redundancy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -2085,7 +2116,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:519 sssd-ldap.5.xml:990 sssd-ipa.5.xml:115 sssd.8.xml:64
-#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:266
+#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:269
 msgid "Default: false"
 msgstr ""
 
@@ -2526,7 +2557,7 @@ msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:356
+#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:359
 msgid "Default: not set"
 msgstr ""
 
@@ -2667,12 +2698,13 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:1080 sssd-krb5.5.xml:77
 msgid ""
-"Specifies the list of IP addresses or hostnames of the Kerberos servers to "
-"which SSSD should connect in the order of preference. For more information "
-"on failover and server redundancy, see the <quote>FAILOVER</quote> section. "
-"An optional port number (preceded by a colon) may be appended to the "
-"addresses or hostnames.  If empty, service discovery is enabled - for more "
-"information, refer to the <quote>SERVICE DISCOVERY</quote> section."
+"Specifies the comma-separated list of IP addresses or hostnames of the "
+"Kerberos servers to which SSSD should connect in the order of preference. "
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
+"colon) may be appended to the addresses or hostnames.  If empty, service "
+"discovery is enabled - for more information, refer to the <quote>SERVICE "
+"DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -3057,7 +3089,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ldap.5.xml:1407 sssd-simple.5.xml:134 sssd-ipa.5.xml:238
-#: sssd-krb5.5.xml:414
+#: sssd-krb5.5.xml:417
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -3104,7 +3136,8 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
 #: pam_sss.8.xml:24
 msgid ""
-"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>forward_pass</"
+"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
@@ -3112,7 +3145,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:42
+#: pam_sss.8.xml:45
 msgid ""
 "<command>pam_sss.so</command> is the PAM interface to the System Security "
 "Services daemon (SSSD). Errors and results are logged through <command>syslog"
@@ -3120,24 +3153,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:52
+#: pam_sss.8.xml:55
+msgid "<option>quiet</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:58
+msgid "Suppress log messages for unknown users."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:63
 msgid "<option>forward_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:55
+#: pam_sss.8.xml:66
 msgid ""
 "If <option>forward_pass</option> is set the entered password is put on the "
 "stack for other PAM modules to use."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:62
+#: pam_sss.8.xml:73
 msgid "<option>use_first_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:65
+#: pam_sss.8.xml:76
 msgid ""
 "The argument use_first_pass forces the module to use a previous stacked "
 "modules password and will never prompt the user - if no password is "
@@ -3145,31 +3188,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:73
+#: pam_sss.8.xml:84
 msgid "<option>use_authtok</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:76
+#: pam_sss.8.xml:87
 msgid ""
 "When password changing enforce the module to set the new password to the one "
 "provided by a previously stacked password module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:83
+#: pam_sss.8.xml:94
 msgid "<option>retry=N</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:86
+#: pam_sss.8.xml:97
 msgid ""
 "If specified the user is asked another N times for a password if "
 "authentication fails. Default is 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:88
+#: pam_sss.8.xml:99
 msgid ""
 "Please note that this option might not work as expected if the application "
 "calling PAM handles the user dialog on its own. A typical example is "
@@ -3177,24 +3220,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:99
+#: pam_sss.8.xml:110
 msgid "MODULE TYPES PROVIDED"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:100
+#: pam_sss.8.xml:111
 msgid ""
 "All module types (<option>account</option>, <option>auth</option>, "
 "<option>password</option> and <option>session</option>) are provided."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:106
+#: pam_sss.8.xml:117
 msgid "FILES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:107
+#: pam_sss.8.xml:118
 msgid ""
 "If a password reset by root fails, because the corresponding SSSD provider "
 "does not support password resets, an individual message can be displayed. "
@@ -3202,7 +3245,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:112
+#: pam_sss.8.xml:123
 msgid ""
 "The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
 "filename> where LOC stands for a locale string returned by <citerefentry> "
@@ -3214,7 +3257,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:122
+#: pam_sss.8.xml:133
 msgid ""
 "These files are searched in the directory <filename>/etc/sssd/customize/"
 "DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
@@ -3222,7 +3265,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:130
+#: pam_sss.8.xml:141
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>8</"
 "manvolnum> </citerefentry>"
@@ -3482,11 +3525,11 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ipa.5.xml:83
 msgid ""
-"The list of IP addresses or hostnames of the IPA servers to which SSSD "
-"should connect in the order of preference. For more information on failover "
-"and server redundancy, see the <quote>FAILOVER</quote> section.  This is "
-"optional if autodiscovery is enabled.  For more information on service "
-"discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
+"The comma-separated list of IP addresses or hostnames of the IPA servers to "
+"which SSSD should connect in the order of preference. For more information "
+"on failover and server redundancy, see the <quote>FAILOVER</quote> section.  "
+"This is optional if autodiscovery is enabled.  For more information on "
+"service discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
@@ -4302,48 +4345,50 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:262
 msgid ""
-"Please note that this feature currently only available on a Linux platform."
+"Please note that this feature currently only available on a Linux platform. "
+"Passwords stored in this way are kept in plaintext in the kernel keyring and "
+"are potentially accessible by the root user (with difficulty)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:272
+#: sssd-krb5.5.xml:275
 msgid "krb5_renewable_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:275
+#: sssd-krb5.5.xml:278
 msgid ""
 "Request a renewable ticket with a total lifetime given by an integer "
 "immediately followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:280 sssd-krb5.5.xml:316
+#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
 msgid "<emphasis>s</emphasis> seconds"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
+#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
 msgid "<emphasis>m</emphasis> minutes"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
+#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
 msgid "<emphasis>h</emphasis> hours"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
+#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
 msgid "<emphasis>d</emphasis> days."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
+#: sssd-krb5.5.xml:295 sssd-krb5.5.xml:331
 msgid "If there is no delimiter <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:296
+#: sssd-krb5.5.xml:299
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "renewable lifetime to one and a half hours please use '90m' instead of "
@@ -4351,97 +4396,97 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:302
+#: sssd-krb5.5.xml:305
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:308
+#: sssd-krb5.5.xml:311
 msgid "krb5_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:311
+#: sssd-krb5.5.xml:314
 msgid ""
 "Request ticket with a with a lifetime given by an integer immediately "
 "followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:332
+#: sssd-krb5.5.xml:335
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "lifetime to one and a half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:337
+#: sssd-krb5.5.xml:340
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:344
+#: sssd-krb5.5.xml:347
 msgid "krb5_renew_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:347
+#: sssd-krb5.5.xml:350
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:352
+#: sssd-krb5.5.xml:355
 msgid "If this option is not set or 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:362
+#: sssd-krb5.5.xml:365
 msgid "krb5_use_fast (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:365
+#: sssd-krb5.5.xml:368
 msgid ""
 "Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
 "authentication. The following options are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:370
+#: sssd-krb5.5.xml:373
 msgid ""
 "<emphasis>never</emphasis> use FAST, this is equivalent to not set this "
 "option at all."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:374
+#: sssd-krb5.5.xml:377
 msgid ""
 "<emphasis>try</emphasis> to use FAST, if the server does not support fast "
 "continue without."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:378
+#: sssd-krb5.5.xml:381
 msgid ""
 "<emphasis>demand</emphasis> to use FAST, fail if the server does not require "
 "fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:382
+#: sssd-krb5.5.xml:385
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:385
+#: sssd-krb5.5.xml:388
 msgid "Please note that a keytab is required to use fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:388
+#: sssd-krb5.5.xml:391
 msgid ""
 "Please note also that sssd supports fast only with MIT Kerberos version 1.8 "
 "and above. If sssd used used with an older version using this option is a "
@@ -4459,7 +4504,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:407
+#: sssd-krb5.5.xml:410
 msgid ""
 "The following example assumes that SSSD is correctly configured and FOO is "
 "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
@@ -4468,7 +4513,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-krb5.5.xml:415
+#: sssd-krb5.5.xml:418
 #, no-wrap
 msgid ""
 "    [domain/FOO]\n"
@@ -4478,7 +4523,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:426
+#: sssd-krb5.5.xml:429
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
diff --git a/src/man/po/de_CH.po b/src/man/po/de_CH.po
index fbcd85a7..b928fd04 100644
--- a/src/man/po/de_CH.po
+++ b/src/man/po/de_CH.po
@@ -2,12 +2,13 @@
 # Copyright (C) YEAR Red Hat
 # This file is distributed under the same license as the sssd-docs package.
 #
+# Translators:
 msgid ""
 msgstr ""
 "Project-Id-Version: SSSD\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2011-08-29 10:42-0300\n"
-"PO-Revision-Date: 2011-08-05 11:38+0000\n"
+"POT-Creation-Date: 2011-10-18 13:34-0300\n"
+"PO-Revision-Date: 2010-12-23 15:35+0000\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
 "Language: de_CH\n"
@@ -52,7 +53,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:41
+#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:44
 #: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21
 #: sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_useradd.8.xml:30
 #: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30
@@ -68,7 +69,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:39 pam_sss.8.xml:48 sssd.8.xml:42 sss_obfuscate.8.xml:58
+#: sss_groupmod.8.xml:39 pam_sss.8.xml:51 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
 msgid "OPTIONS"
@@ -104,10 +105,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1106 sssd-ldap.5.xml:1432
-#: pam_sss.8.xml:128 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
+#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1130 sssd-ldap.5.xml:1432
+#: pam_sss.8.xml:139 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
 #: sssd-ipa.5.xml:248 sssd.8.xml:166 sss_obfuscate.8.xml:103
-#: sss_useradd.8.xml:167 sssd-krb5.5.xml:424 sss_groupadd.8.xml:58
+#: sss_useradd.8.xml:167 sssd-krb5.5.xml:427 sss_groupadd.8.xml:58
 #: sss_userdel.8.xml:93 sss_groupdel.8.xml:46 sss_groupshow.8.xml:58
 #: sss_usermod.8.xml:138
 msgid "SEE ALSO"
@@ -213,7 +214,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:70 sssd.conf.5.xml:952
+#: sssd.conf.5.xml:70 sssd.conf.5.xml:976
 msgid "Section parameters"
 msgstr ""
 
@@ -246,19 +247,19 @@ msgid "Supported services: nss, pam"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:93 sssd.conf.5.xml:234
+#: sssd.conf.5.xml:93 sssd.conf.5.xml:254
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:96 sssd.conf.5.xml:237
+#: sssd.conf.5.xml:96 sssd.conf.5.xml:257
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:101 sssd.conf.5.xml:242
+#: sssd.conf.5.xml:101 sssd.conf.5.xml:262
 msgid "Default: 3"
 msgstr ""
 
@@ -365,6 +366,32 @@ msgid ""
 "unavailable. On these platforms, polling will always be used."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:189
+msgid "krb5_rcache_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:192
+msgid ""
+"Directory on the filesystem where SSSD should store Kerberos replay cache "
+"files."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:196
+msgid ""
+"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
+"SSSD to let libkrb5 decide the appropriate location for the replay cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:202
+msgid ""
+"Default: Distribution-specific and specified at build-time. "
+"(__LIBKRB5_DEFAULTS__ if not configured)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:63
 msgid ""
@@ -377,12 +404,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:195
+#: sssd.conf.5.xml:215
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:197
+#: sssd.conf.5.xml:217
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -391,55 +418,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:204
+#: sssd.conf.5.xml:224
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:206
+#: sssd.conf.5.xml:226
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:210
+#: sssd.conf.5.xml:230
 msgid "debug_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:213
+#: sssd.conf.5.xml:233
 msgid ""
 "Sets the debug level for the service. The value can be in range from 0 (only "
 "critical messages) to 10 (very verbose)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:218 sssd.conf.5.xml:312
+#: sssd.conf.5.xml:238 sssd.conf.5.xml:332
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:223 sssd.8.xml:58
+#: sssd.conf.5.xml:243 sssd.8.xml:58
 msgid "debug_timestamps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:226 sssd.8.xml:61
+#: sssd.conf.5.xml:246 sssd.8.xml:61
 msgid "Add a timestamp to the debug messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:229 sssd.conf.5.xml:353 sssd-ldap.5.xml:1058
+#: sssd.conf.5.xml:249 sssd.conf.5.xml:373 sssd-ldap.5.xml:1058
 #: sssd-ldap.5.xml:1163 sssd-ipa.5.xml:155
 msgid "Default: true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:247
+#: sssd.conf.5.xml:267
 msgid "command (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:250
+#: sssd.conf.5.xml:270
 msgid ""
 "By default, the executable representing this service is called <command>sssd_"
 "${service_name}</command>.  This directive allows to change the executable "
@@ -448,45 +475,45 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:258
+#: sssd.conf.5.xml:278
 msgid "Default: <command>sssd_${service_name}</command>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:266
+#: sssd.conf.5.xml:286
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:268
+#: sssd.conf.5.xml:288
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:273
+#: sssd.conf.5.xml:293
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:276
+#: sssd.conf.5.xml:296
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:280
+#: sssd.conf.5.xml:300
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:285
+#: sssd.conf.5.xml:305
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:288
+#: sssd.conf.5.xml:308
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -494,7 +521,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:294
+#: sssd.conf.5.xml:314
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -504,7 +531,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304
+#: sssd.conf.5.xml:324
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -513,12 +540,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:317
+#: sssd.conf.5.xml:337
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:320
+#: sssd.conf.5.xml:340
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -526,17 +553,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:326 sssd-krb5.5.xml:223
+#: sssd.conf.5.xml:346 sssd-krb5.5.xml:223
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:331
+#: sssd.conf.5.xml:351
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:334
+#: sssd.conf.5.xml:354
 msgid ""
 "Exclude certain users from being fetched from the sss NSS database. This is "
 "particularly useful for system accounts. This option can also be set per-"
@@ -545,78 +572,78 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:341
+#: sssd.conf.5.xml:361
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:346
+#: sssd.conf.5.xml:366
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:369
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:358
+#: sssd.conf.5.xml:378
 msgid "override_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:367 sssd-krb5.5.xml:166
+#: sssd.conf.5.xml:387 sssd-krb5.5.xml:166
 msgid "%u"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:368 sssd-krb5.5.xml:167
+#: sssd.conf.5.xml:388 sssd-krb5.5.xml:167
 msgid "login name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:371 sssd-krb5.5.xml:170
+#: sssd.conf.5.xml:391 sssd-krb5.5.xml:170
 msgid "%U"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:392
 msgid "UID number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:375 sssd-krb5.5.xml:188
+#: sssd.conf.5.xml:395 sssd-krb5.5.xml:188
 msgid "%d"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:376
+#: sssd.conf.5.xml:396
 msgid "domain name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:379
+#: sssd.conf.5.xml:399
 msgid "%f"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:380
+#: sssd.conf.5.xml:400
 msgid "fully qualified user name (user@domain)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:383 sssd-krb5.5.xml:200
+#: sssd.conf.5.xml:403 sssd-krb5.5.xml:200
 msgid "%%"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:384 sssd-krb5.5.xml:201
+#: sssd.conf.5.xml:404 sssd-krb5.5.xml:201
 msgid "a literal '%'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:361
+#: sssd.conf.5.xml:381
 msgid ""
 "Override the user's home directory. You can either provide an absolute value "
 "or a template. In the template, the following sequences are substituted: "
@@ -624,138 +651,138 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:390
+#: sssd.conf.5.xml:410
 msgid "This option can also be set per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:395
+#: sssd.conf.5.xml:415
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:398
+#: sssd.conf.5.xml:418
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:401
+#: sssd.conf.5.xml:421
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:405
+#: sssd.conf.5.xml:425
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:410
+#: sssd.conf.5.xml:430
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:415
+#: sssd.conf.5.xml:435
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:418
+#: sssd.conf.5.xml:438
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:422
+#: sssd.conf.5.xml:442
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:427
+#: sssd.conf.5.xml:447
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:430
+#: sssd.conf.5.xml:450
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:435
+#: sssd.conf.5.xml:455
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:438
+#: sssd.conf.5.xml:458
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:442
+#: sssd.conf.5.xml:462
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:469
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:451
+#: sssd.conf.5.xml:471
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:456
+#: sssd.conf.5.xml:476
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:459
+#: sssd.conf.5.xml:479
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:464 sssd.conf.5.xml:477
+#: sssd.conf.5.xml:484 sssd.conf.5.xml:497
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:490
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:473
+#: sssd.conf.5.xml:493
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:483
+#: sssd.conf.5.xml:503
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:506
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:491
+#: sssd.conf.5.xml:511
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -763,59 +790,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:497 sssd.conf.5.xml:550 sssd.conf.5.xml:882
+#: sssd.conf.5.xml:517 sssd.conf.5.xml:570 sssd.conf.5.xml:906
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:523
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:506
+#: sssd.conf.5.xml:526
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:511
+#: sssd.conf.5.xml:531
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:514
+#: sssd.conf.5.xml:534
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:517
+#: sssd.conf.5.xml:537
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:541
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:524
+#: sssd.conf.5.xml:544
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:528
+#: sssd.conf.5.xml:548
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:533
+#: sssd.conf.5.xml:553
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:536
+#: sssd.conf.5.xml:556
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -823,7 +850,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:542
+#: sssd.conf.5.xml:562
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -832,17 +859,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:556
+#: sssd.conf.5.xml:576
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:559
+#: sssd.conf.5.xml:579
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:562
+#: sssd.conf.5.xml:582
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -850,29 +877,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:588
 msgid "Default: 7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:577
+#: sssd.conf.5.xml:597
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:584
+#: sssd.conf.5.xml:604
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:587
+#: sssd.conf.5.xml:607
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:592
+#: sssd.conf.5.xml:612
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -881,56 +908,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:599
+#: sssd.conf.5.xml:619
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:625
 msgid "timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:608
+#: sssd.conf.5.xml:628
 msgid ""
 "Timeout in seconds between heartbeats for this domain.  This is used to "
 "ensure that the backend process is alive and capable of answering requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:633
 msgid "Default: 10"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:639
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:642
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:626
+#: sssd.conf.5.xml:646
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:629
+#: sssd.conf.5.xml:649
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:632 sssd.conf.5.xml:680 sssd.conf.5.xml:734
+#: sssd.conf.5.xml:652 sssd.conf.5.xml:704 sssd.conf.5.xml:758
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:635
+#: sssd.conf.5.xml:655
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -940,14 +967,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:645
+#: sssd.conf.5.xml:665
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:650
+#: sssd.conf.5.xml:670
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -956,39 +983,44 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:661
+#: sssd.conf.5.xml:681
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:664
+#: sssd.conf.5.xml:684
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:688
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:693
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676
+#: sssd.conf.5.xml:696
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:700
+msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:685
+#: sssd.conf.5.xml:709
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:688
+#: sssd.conf.5.xml:712
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -997,47 +1029,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:695
+#: sssd.conf.5.xml:719
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:725
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:728
 msgid "The Data Provider identity backend to use for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:708
+#: sssd.conf.5.xml:732
 msgid "Supported backends:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:711
+#: sssd.conf.5.xml:735
 msgid "proxy: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:714
+#: sssd.conf.5.xml:738
 msgid "local: SSSD internal local provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:717
+#: sssd.conf.5.xml:741
 msgid "ldap: LDAP provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:747
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:750
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -1046,19 +1078,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:739
+#: sssd.conf.5.xml:763
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:766
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:746
+#: sssd.conf.5.xml:770
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1066,7 +1098,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:777
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1074,30 +1106,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:784
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:787
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:766
+#: sssd.conf.5.xml:790
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:796
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:775
+#: sssd.conf.5.xml:799
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -1105,17 +1137,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:781
+#: sssd.conf.5.xml:805
 msgid "<quote>permit</quote> always allow access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:784
+#: sssd.conf.5.xml:808
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:811
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -1124,24 +1156,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:818
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:823
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:826
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:831
 msgid ""
 "<quote>ipa</quote> to change a password stored in an IPA server.  See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -1149,7 +1181,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:815
+#: sssd.conf.5.xml:839
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -1157,7 +1189,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:823
+#: sssd.conf.5.xml:847
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1165,72 +1197,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:831
+#: sssd.conf.5.xml:855
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:835
+#: sssd.conf.5.xml:859
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838
+#: sssd.conf.5.xml:862
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:845
+#: sssd.conf.5.xml:869
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:848
+#: sssd.conf.5.xml:872
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:876
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:855
+#: sssd.conf.5.xml:879
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:858
+#: sssd.conf.5.xml:882
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:861
+#: sssd.conf.5.xml:885
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:864
+#: sssd.conf.5.xml:888
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:867
+#: sssd.conf.5.xml:891
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:873
+#: sssd.conf.5.xml:897
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:876
+#: sssd.conf.5.xml:900
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -1238,34 +1270,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:912
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:891
+#: sssd.conf.5.xml:915
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:919
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:901
+#: sssd.conf.5.xml:925
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:904
+#: sssd.conf.5.xml:928
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:579
+#: sssd.conf.5.xml:599
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -1273,29 +1305,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:940
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:943
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:922
+#: sssd.conf.5.xml:946
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:954
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:933
+#: sssd.conf.5.xml:957
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -1303,19 +1335,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:912
+#: sssd.conf.5.xml:936
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:945
+#: sssd.conf.5.xml:969
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:971
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -1323,73 +1355,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:954
+#: sssd.conf.5.xml:978
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:981
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:985
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:966
+#: sssd.conf.5.xml:990
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:969
+#: sssd.conf.5.xml:993
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974
+#: sssd.conf.5.xml:998
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1003
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1006
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986 sssd.conf.5.xml:998
+#: sssd.conf.5.xml:1010 sssd.conf.5.xml:1022
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:991
+#: sssd.conf.5.xml:1015
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:994
+#: sssd.conf.5.xml:1018
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1003
+#: sssd.conf.5.xml:1027
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1030
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -1397,17 +1429,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014
+#: sssd.conf.5.xml:1038
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1043
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1022
+#: sssd.conf.5.xml:1046
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -1416,17 +1448,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:1056
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1037
+#: sssd.conf.5.xml:1061
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1040
+#: sssd.conf.5.xml:1064
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -1434,17 +1466,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1047
+#: sssd.conf.5.xml:1071
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1076
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1055
+#: sssd.conf.5.xml:1079
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -1452,18 +1484,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1061
+#: sssd.conf.5.xml:1085
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1071 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
-#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:405
+#: sssd.conf.5.xml:1095 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
+#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:408
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:1077
+#: sssd.conf.5.xml:1101
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -1493,7 +1525,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1073
+#: sssd.conf.5.xml:1097
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -1502,7 +1534,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1108
+#: sssd.conf.5.xml:1132
 msgid ""
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
@@ -1602,10 +1634,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:88
 msgid ""
-"Specifies the list of URIs of the LDAP servers to which SSSD should connect "
-"in the order of preference to change the password of a user. Refer to the "
-"<quote>FAILOVER</quote> section for more information on failover and server "
-"redundancy."
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference to change the password of a user. "
+"Refer to the <quote>FAILOVER</quote> section for more information on "
+"failover and server redundancy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -2085,7 +2117,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:519 sssd-ldap.5.xml:990 sssd-ipa.5.xml:115 sssd.8.xml:64
-#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:266
+#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:269
 msgid "Default: false"
 msgstr ""
 
@@ -2526,7 +2558,7 @@ msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:356
+#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:359
 msgid "Default: not set"
 msgstr ""
 
@@ -2667,12 +2699,13 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:1080 sssd-krb5.5.xml:77
 msgid ""
-"Specifies the list of IP addresses or hostnames of the Kerberos servers to "
-"which SSSD should connect in the order of preference. For more information "
-"on failover and server redundancy, see the <quote>FAILOVER</quote> section. "
-"An optional port number (preceded by a colon) may be appended to the "
-"addresses or hostnames.  If empty, service discovery is enabled - for more "
-"information, refer to the <quote>SERVICE DISCOVERY</quote> section."
+"Specifies the comma-separated list of IP addresses or hostnames of the "
+"Kerberos servers to which SSSD should connect in the order of preference. "
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
+"colon) may be appended to the addresses or hostnames.  If empty, service "
+"discovery is enabled - for more information, refer to the <quote>SERVICE "
+"DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -3057,7 +3090,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ldap.5.xml:1407 sssd-simple.5.xml:134 sssd-ipa.5.xml:238
-#: sssd-krb5.5.xml:414
+#: sssd-krb5.5.xml:417
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -3104,7 +3137,8 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
 #: pam_sss.8.xml:24
 msgid ""
-"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>forward_pass</"
+"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
@@ -3112,7 +3146,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:42
+#: pam_sss.8.xml:45
 msgid ""
 "<command>pam_sss.so</command> is the PAM interface to the System Security "
 "Services daemon (SSSD). Errors and results are logged through <command>syslog"
@@ -3120,24 +3154,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:52
+#: pam_sss.8.xml:55
+msgid "<option>quiet</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:58
+msgid "Suppress log messages for unknown users."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:63
 msgid "<option>forward_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:55
+#: pam_sss.8.xml:66
 msgid ""
 "If <option>forward_pass</option> is set the entered password is put on the "
 "stack for other PAM modules to use."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:62
+#: pam_sss.8.xml:73
 msgid "<option>use_first_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:65
+#: pam_sss.8.xml:76
 msgid ""
 "The argument use_first_pass forces the module to use a previous stacked "
 "modules password and will never prompt the user - if no password is "
@@ -3145,31 +3189,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:73
+#: pam_sss.8.xml:84
 msgid "<option>use_authtok</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:76
+#: pam_sss.8.xml:87
 msgid ""
 "When password changing enforce the module to set the new password to the one "
 "provided by a previously stacked password module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:83
+#: pam_sss.8.xml:94
 msgid "<option>retry=N</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:86
+#: pam_sss.8.xml:97
 msgid ""
 "If specified the user is asked another N times for a password if "
 "authentication fails. Default is 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:88
+#: pam_sss.8.xml:99
 msgid ""
 "Please note that this option might not work as expected if the application "
 "calling PAM handles the user dialog on its own. A typical example is "
@@ -3177,24 +3221,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:99
+#: pam_sss.8.xml:110
 msgid "MODULE TYPES PROVIDED"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:100
+#: pam_sss.8.xml:111
 msgid ""
 "All module types (<option>account</option>, <option>auth</option>, "
 "<option>password</option> and <option>session</option>) are provided."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:106
+#: pam_sss.8.xml:117
 msgid "FILES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:107
+#: pam_sss.8.xml:118
 msgid ""
 "If a password reset by root fails, because the corresponding SSSD provider "
 "does not support password resets, an individual message can be displayed. "
@@ -3202,7 +3246,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:112
+#: pam_sss.8.xml:123
 msgid ""
 "The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
 "filename> where LOC stands for a locale string returned by <citerefentry> "
@@ -3214,7 +3258,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:122
+#: pam_sss.8.xml:133
 msgid ""
 "These files are searched in the directory <filename>/etc/sssd/customize/"
 "DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
@@ -3222,7 +3266,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:130
+#: pam_sss.8.xml:141
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>8</"
 "manvolnum> </citerefentry>"
@@ -3482,11 +3526,11 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ipa.5.xml:83
 msgid ""
-"The list of IP addresses or hostnames of the IPA servers to which SSSD "
-"should connect in the order of preference. For more information on failover "
-"and server redundancy, see the <quote>FAILOVER</quote> section.  This is "
-"optional if autodiscovery is enabled.  For more information on service "
-"discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
+"The comma-separated list of IP addresses or hostnames of the IPA servers to "
+"which SSSD should connect in the order of preference. For more information "
+"on failover and server redundancy, see the <quote>FAILOVER</quote> section.  "
+"This is optional if autodiscovery is enabled.  For more information on "
+"service discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
@@ -4302,48 +4346,50 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:262
 msgid ""
-"Please note that this feature currently only available on a Linux platform."
+"Please note that this feature currently only available on a Linux platform. "
+"Passwords stored in this way are kept in plaintext in the kernel keyring and "
+"are potentially accessible by the root user (with difficulty)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:272
+#: sssd-krb5.5.xml:275
 msgid "krb5_renewable_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:275
+#: sssd-krb5.5.xml:278
 msgid ""
 "Request a renewable ticket with a total lifetime given by an integer "
 "immediately followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:280 sssd-krb5.5.xml:316
+#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
 msgid "<emphasis>s</emphasis> seconds"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
+#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
 msgid "<emphasis>m</emphasis> minutes"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
+#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
 msgid "<emphasis>h</emphasis> hours"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
+#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
 msgid "<emphasis>d</emphasis> days."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
+#: sssd-krb5.5.xml:295 sssd-krb5.5.xml:331
 msgid "If there is no delimiter <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:296
+#: sssd-krb5.5.xml:299
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "renewable lifetime to one and a half hours please use '90m' instead of "
@@ -4351,97 +4397,97 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:302
+#: sssd-krb5.5.xml:305
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:308
+#: sssd-krb5.5.xml:311
 msgid "krb5_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:311
+#: sssd-krb5.5.xml:314
 msgid ""
 "Request ticket with a with a lifetime given by an integer immediately "
 "followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:332
+#: sssd-krb5.5.xml:335
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "lifetime to one and a half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:337
+#: sssd-krb5.5.xml:340
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:344
+#: sssd-krb5.5.xml:347
 msgid "krb5_renew_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:347
+#: sssd-krb5.5.xml:350
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:352
+#: sssd-krb5.5.xml:355
 msgid "If this option is not set or 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:362
+#: sssd-krb5.5.xml:365
 msgid "krb5_use_fast (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:365
+#: sssd-krb5.5.xml:368
 msgid ""
 "Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
 "authentication. The following options are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:370
+#: sssd-krb5.5.xml:373
 msgid ""
 "<emphasis>never</emphasis> use FAST, this is equivalent to not set this "
 "option at all."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:374
+#: sssd-krb5.5.xml:377
 msgid ""
 "<emphasis>try</emphasis> to use FAST, if the server does not support fast "
 "continue without."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:378
+#: sssd-krb5.5.xml:381
 msgid ""
 "<emphasis>demand</emphasis> to use FAST, fail if the server does not require "
 "fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:382
+#: sssd-krb5.5.xml:385
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:385
+#: sssd-krb5.5.xml:388
 msgid "Please note that a keytab is required to use fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:388
+#: sssd-krb5.5.xml:391
 msgid ""
 "Please note also that sssd supports fast only with MIT Kerberos version 1.8 "
 "and above. If sssd used used with an older version using this option is a "
@@ -4459,7 +4505,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:407
+#: sssd-krb5.5.xml:410
 msgid ""
 "The following example assumes that SSSD is correctly configured and FOO is "
 "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
@@ -4468,7 +4514,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-krb5.5.xml:415
+#: sssd-krb5.5.xml:418
 #, no-wrap
 msgid ""
 "    [domain/FOO]\n"
@@ -4478,7 +4524,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:426
+#: sssd-krb5.5.xml:429
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
diff --git a/src/man/po/el.po b/src/man/po/el.po
index 35abfc79..26f180ca 100644
--- a/src/man/po/el.po
+++ b/src/man/po/el.po
@@ -6,7 +6,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: SSSD\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2011-08-29 10:42-0300\n"
+"POT-Creation-Date: 2011-10-18 13:34-0300\n"
 "PO-Revision-Date: 2011-08-05 11:37+0000\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Greek <trans-el@lists.fedoraproject.org>\n"
@@ -52,7 +52,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:41
+#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:44
 #: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21
 #: sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_useradd.8.xml:30
 #: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30
@@ -68,7 +68,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:39 pam_sss.8.xml:48 sssd.8.xml:42 sss_obfuscate.8.xml:58
+#: sss_groupmod.8.xml:39 pam_sss.8.xml:51 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
 msgid "OPTIONS"
@@ -104,10 +104,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1106 sssd-ldap.5.xml:1432
-#: pam_sss.8.xml:128 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
+#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1130 sssd-ldap.5.xml:1432
+#: pam_sss.8.xml:139 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
 #: sssd-ipa.5.xml:248 sssd.8.xml:166 sss_obfuscate.8.xml:103
-#: sss_useradd.8.xml:167 sssd-krb5.5.xml:424 sss_groupadd.8.xml:58
+#: sss_useradd.8.xml:167 sssd-krb5.5.xml:427 sss_groupadd.8.xml:58
 #: sss_userdel.8.xml:93 sss_groupdel.8.xml:46 sss_groupshow.8.xml:58
 #: sss_usermod.8.xml:138
 msgid "SEE ALSO"
@@ -213,7 +213,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:70 sssd.conf.5.xml:952
+#: sssd.conf.5.xml:70 sssd.conf.5.xml:976
 msgid "Section parameters"
 msgstr ""
 
@@ -246,19 +246,19 @@ msgid "Supported services: nss, pam"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:93 sssd.conf.5.xml:234
+#: sssd.conf.5.xml:93 sssd.conf.5.xml:254
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:96 sssd.conf.5.xml:237
+#: sssd.conf.5.xml:96 sssd.conf.5.xml:257
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:101 sssd.conf.5.xml:242
+#: sssd.conf.5.xml:101 sssd.conf.5.xml:262
 msgid "Default: 3"
 msgstr ""
 
@@ -365,6 +365,32 @@ msgid ""
 "unavailable. On these platforms, polling will always be used."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:189
+msgid "krb5_rcache_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:192
+msgid ""
+"Directory on the filesystem where SSSD should store Kerberos replay cache "
+"files."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:196
+msgid ""
+"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
+"SSSD to let libkrb5 decide the appropriate location for the replay cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:202
+msgid ""
+"Default: Distribution-specific and specified at build-time. "
+"(__LIBKRB5_DEFAULTS__ if not configured)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:63
 msgid ""
@@ -377,12 +403,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:195
+#: sssd.conf.5.xml:215
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:197
+#: sssd.conf.5.xml:217
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -391,55 +417,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:204
+#: sssd.conf.5.xml:224
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:206
+#: sssd.conf.5.xml:226
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:210
+#: sssd.conf.5.xml:230
 msgid "debug_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:213
+#: sssd.conf.5.xml:233
 msgid ""
 "Sets the debug level for the service. The value can be in range from 0 (only "
 "critical messages) to 10 (very verbose)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:218 sssd.conf.5.xml:312
+#: sssd.conf.5.xml:238 sssd.conf.5.xml:332
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:223 sssd.8.xml:58
+#: sssd.conf.5.xml:243 sssd.8.xml:58
 msgid "debug_timestamps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:226 sssd.8.xml:61
+#: sssd.conf.5.xml:246 sssd.8.xml:61
 msgid "Add a timestamp to the debug messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:229 sssd.conf.5.xml:353 sssd-ldap.5.xml:1058
+#: sssd.conf.5.xml:249 sssd.conf.5.xml:373 sssd-ldap.5.xml:1058
 #: sssd-ldap.5.xml:1163 sssd-ipa.5.xml:155
 msgid "Default: true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:247
+#: sssd.conf.5.xml:267
 msgid "command (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:250
+#: sssd.conf.5.xml:270
 msgid ""
 "By default, the executable representing this service is called <command>sssd_"
 "${service_name}</command>.  This directive allows to change the executable "
@@ -448,45 +474,45 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:258
+#: sssd.conf.5.xml:278
 msgid "Default: <command>sssd_${service_name}</command>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:266
+#: sssd.conf.5.xml:286
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:268
+#: sssd.conf.5.xml:288
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:273
+#: sssd.conf.5.xml:293
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:276
+#: sssd.conf.5.xml:296
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:280
+#: sssd.conf.5.xml:300
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:285
+#: sssd.conf.5.xml:305
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:288
+#: sssd.conf.5.xml:308
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -494,7 +520,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:294
+#: sssd.conf.5.xml:314
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -504,7 +530,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304
+#: sssd.conf.5.xml:324
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -513,12 +539,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:317
+#: sssd.conf.5.xml:337
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:320
+#: sssd.conf.5.xml:340
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -526,17 +552,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:326 sssd-krb5.5.xml:223
+#: sssd.conf.5.xml:346 sssd-krb5.5.xml:223
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:331
+#: sssd.conf.5.xml:351
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:334
+#: sssd.conf.5.xml:354
 msgid ""
 "Exclude certain users from being fetched from the sss NSS database. This is "
 "particularly useful for system accounts. This option can also be set per-"
@@ -545,78 +571,78 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:341
+#: sssd.conf.5.xml:361
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:346
+#: sssd.conf.5.xml:366
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:369
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:358
+#: sssd.conf.5.xml:378
 msgid "override_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:367 sssd-krb5.5.xml:166
+#: sssd.conf.5.xml:387 sssd-krb5.5.xml:166
 msgid "%u"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:368 sssd-krb5.5.xml:167
+#: sssd.conf.5.xml:388 sssd-krb5.5.xml:167
 msgid "login name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:371 sssd-krb5.5.xml:170
+#: sssd.conf.5.xml:391 sssd-krb5.5.xml:170
 msgid "%U"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:392
 msgid "UID number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:375 sssd-krb5.5.xml:188
+#: sssd.conf.5.xml:395 sssd-krb5.5.xml:188
 msgid "%d"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:376
+#: sssd.conf.5.xml:396
 msgid "domain name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:379
+#: sssd.conf.5.xml:399
 msgid "%f"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:380
+#: sssd.conf.5.xml:400
 msgid "fully qualified user name (user@domain)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:383 sssd-krb5.5.xml:200
+#: sssd.conf.5.xml:403 sssd-krb5.5.xml:200
 msgid "%%"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:384 sssd-krb5.5.xml:201
+#: sssd.conf.5.xml:404 sssd-krb5.5.xml:201
 msgid "a literal '%'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:361
+#: sssd.conf.5.xml:381
 msgid ""
 "Override the user's home directory. You can either provide an absolute value "
 "or a template. In the template, the following sequences are substituted: "
@@ -624,138 +650,138 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:390
+#: sssd.conf.5.xml:410
 msgid "This option can also be set per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:395
+#: sssd.conf.5.xml:415
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:398
+#: sssd.conf.5.xml:418
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:401
+#: sssd.conf.5.xml:421
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:405
+#: sssd.conf.5.xml:425
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:410
+#: sssd.conf.5.xml:430
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:415
+#: sssd.conf.5.xml:435
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:418
+#: sssd.conf.5.xml:438
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:422
+#: sssd.conf.5.xml:442
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:427
+#: sssd.conf.5.xml:447
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:430
+#: sssd.conf.5.xml:450
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:435
+#: sssd.conf.5.xml:455
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:438
+#: sssd.conf.5.xml:458
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:442
+#: sssd.conf.5.xml:462
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:469
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:451
+#: sssd.conf.5.xml:471
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:456
+#: sssd.conf.5.xml:476
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:459
+#: sssd.conf.5.xml:479
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:464 sssd.conf.5.xml:477
+#: sssd.conf.5.xml:484 sssd.conf.5.xml:497
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:490
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:473
+#: sssd.conf.5.xml:493
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:483
+#: sssd.conf.5.xml:503
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:506
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:491
+#: sssd.conf.5.xml:511
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -763,59 +789,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:497 sssd.conf.5.xml:550 sssd.conf.5.xml:882
+#: sssd.conf.5.xml:517 sssd.conf.5.xml:570 sssd.conf.5.xml:906
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:523
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:506
+#: sssd.conf.5.xml:526
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:511
+#: sssd.conf.5.xml:531
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:514
+#: sssd.conf.5.xml:534
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:517
+#: sssd.conf.5.xml:537
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:541
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:524
+#: sssd.conf.5.xml:544
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:528
+#: sssd.conf.5.xml:548
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:533
+#: sssd.conf.5.xml:553
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:536
+#: sssd.conf.5.xml:556
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -823,7 +849,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:542
+#: sssd.conf.5.xml:562
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -832,17 +858,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:556
+#: sssd.conf.5.xml:576
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:559
+#: sssd.conf.5.xml:579
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:562
+#: sssd.conf.5.xml:582
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -850,29 +876,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:588
 msgid "Default: 7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:577
+#: sssd.conf.5.xml:597
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:584
+#: sssd.conf.5.xml:604
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:587
+#: sssd.conf.5.xml:607
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:592
+#: sssd.conf.5.xml:612
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -881,56 +907,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:599
+#: sssd.conf.5.xml:619
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:625
 msgid "timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:608
+#: sssd.conf.5.xml:628
 msgid ""
 "Timeout in seconds between heartbeats for this domain.  This is used to "
 "ensure that the backend process is alive and capable of answering requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:633
 msgid "Default: 10"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:639
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:642
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:626
+#: sssd.conf.5.xml:646
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:629
+#: sssd.conf.5.xml:649
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:632 sssd.conf.5.xml:680 sssd.conf.5.xml:734
+#: sssd.conf.5.xml:652 sssd.conf.5.xml:704 sssd.conf.5.xml:758
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:635
+#: sssd.conf.5.xml:655
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -940,14 +966,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:645
+#: sssd.conf.5.xml:665
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:650
+#: sssd.conf.5.xml:670
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -956,39 +982,44 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:661
+#: sssd.conf.5.xml:681
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:664
+#: sssd.conf.5.xml:684
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:688
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:693
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676
+#: sssd.conf.5.xml:696
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:700
+msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:685
+#: sssd.conf.5.xml:709
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:688
+#: sssd.conf.5.xml:712
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -997,47 +1028,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:695
+#: sssd.conf.5.xml:719
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:725
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:728
 msgid "The Data Provider identity backend to use for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:708
+#: sssd.conf.5.xml:732
 msgid "Supported backends:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:711
+#: sssd.conf.5.xml:735
 msgid "proxy: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:714
+#: sssd.conf.5.xml:738
 msgid "local: SSSD internal local provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:717
+#: sssd.conf.5.xml:741
 msgid "ldap: LDAP provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:747
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:750
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -1046,19 +1077,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:739
+#: sssd.conf.5.xml:763
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:766
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:746
+#: sssd.conf.5.xml:770
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1066,7 +1097,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:777
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1074,30 +1105,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:784
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:787
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:766
+#: sssd.conf.5.xml:790
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:796
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:775
+#: sssd.conf.5.xml:799
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -1105,17 +1136,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:781
+#: sssd.conf.5.xml:805
 msgid "<quote>permit</quote> always allow access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:784
+#: sssd.conf.5.xml:808
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:811
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -1124,24 +1155,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:818
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:823
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:826
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:831
 msgid ""
 "<quote>ipa</quote> to change a password stored in an IPA server.  See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -1149,7 +1180,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:815
+#: sssd.conf.5.xml:839
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -1157,7 +1188,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:823
+#: sssd.conf.5.xml:847
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1165,72 +1196,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:831
+#: sssd.conf.5.xml:855
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:835
+#: sssd.conf.5.xml:859
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838
+#: sssd.conf.5.xml:862
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:845
+#: sssd.conf.5.xml:869
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:848
+#: sssd.conf.5.xml:872
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:876
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:855
+#: sssd.conf.5.xml:879
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:858
+#: sssd.conf.5.xml:882
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:861
+#: sssd.conf.5.xml:885
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:864
+#: sssd.conf.5.xml:888
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:867
+#: sssd.conf.5.xml:891
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:873
+#: sssd.conf.5.xml:897
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:876
+#: sssd.conf.5.xml:900
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -1238,34 +1269,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:912
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:891
+#: sssd.conf.5.xml:915
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:919
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:901
+#: sssd.conf.5.xml:925
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:904
+#: sssd.conf.5.xml:928
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:579
+#: sssd.conf.5.xml:599
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -1273,29 +1304,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:940
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:943
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:922
+#: sssd.conf.5.xml:946
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:954
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:933
+#: sssd.conf.5.xml:957
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -1303,19 +1334,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:912
+#: sssd.conf.5.xml:936
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:945
+#: sssd.conf.5.xml:969
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:971
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -1323,73 +1354,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:954
+#: sssd.conf.5.xml:978
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:981
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:985
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:966
+#: sssd.conf.5.xml:990
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:969
+#: sssd.conf.5.xml:993
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974
+#: sssd.conf.5.xml:998
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1003
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1006
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986 sssd.conf.5.xml:998
+#: sssd.conf.5.xml:1010 sssd.conf.5.xml:1022
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:991
+#: sssd.conf.5.xml:1015
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:994
+#: sssd.conf.5.xml:1018
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1003
+#: sssd.conf.5.xml:1027
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1030
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -1397,17 +1428,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014
+#: sssd.conf.5.xml:1038
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1043
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1022
+#: sssd.conf.5.xml:1046
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -1416,17 +1447,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:1056
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1037
+#: sssd.conf.5.xml:1061
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1040
+#: sssd.conf.5.xml:1064
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -1434,17 +1465,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1047
+#: sssd.conf.5.xml:1071
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1076
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1055
+#: sssd.conf.5.xml:1079
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -1452,18 +1483,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1061
+#: sssd.conf.5.xml:1085
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1071 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
-#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:405
+#: sssd.conf.5.xml:1095 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
+#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:408
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:1077
+#: sssd.conf.5.xml:1101
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -1493,7 +1524,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1073
+#: sssd.conf.5.xml:1097
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -1502,7 +1533,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1108
+#: sssd.conf.5.xml:1132
 msgid ""
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
@@ -1602,10 +1633,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:88
 msgid ""
-"Specifies the list of URIs of the LDAP servers to which SSSD should connect "
-"in the order of preference to change the password of a user. Refer to the "
-"<quote>FAILOVER</quote> section for more information on failover and server "
-"redundancy."
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference to change the password of a user. "
+"Refer to the <quote>FAILOVER</quote> section for more information on "
+"failover and server redundancy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -2085,7 +2116,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:519 sssd-ldap.5.xml:990 sssd-ipa.5.xml:115 sssd.8.xml:64
-#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:266
+#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:269
 msgid "Default: false"
 msgstr ""
 
@@ -2526,7 +2557,7 @@ msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:356
+#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:359
 msgid "Default: not set"
 msgstr ""
 
@@ -2667,12 +2698,13 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:1080 sssd-krb5.5.xml:77
 msgid ""
-"Specifies the list of IP addresses or hostnames of the Kerberos servers to "
-"which SSSD should connect in the order of preference. For more information "
-"on failover and server redundancy, see the <quote>FAILOVER</quote> section. "
-"An optional port number (preceded by a colon) may be appended to the "
-"addresses or hostnames.  If empty, service discovery is enabled - for more "
-"information, refer to the <quote>SERVICE DISCOVERY</quote> section."
+"Specifies the comma-separated list of IP addresses or hostnames of the "
+"Kerberos servers to which SSSD should connect in the order of preference. "
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
+"colon) may be appended to the addresses or hostnames.  If empty, service "
+"discovery is enabled - for more information, refer to the <quote>SERVICE "
+"DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -3057,7 +3089,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ldap.5.xml:1407 sssd-simple.5.xml:134 sssd-ipa.5.xml:238
-#: sssd-krb5.5.xml:414
+#: sssd-krb5.5.xml:417
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -3104,7 +3136,8 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
 #: pam_sss.8.xml:24
 msgid ""
-"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>forward_pass</"
+"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
@@ -3112,7 +3145,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:42
+#: pam_sss.8.xml:45
 msgid ""
 "<command>pam_sss.so</command> is the PAM interface to the System Security "
 "Services daemon (SSSD). Errors and results are logged through <command>syslog"
@@ -3120,24 +3153,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:52
+#: pam_sss.8.xml:55
+msgid "<option>quiet</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:58
+msgid "Suppress log messages for unknown users."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:63
 msgid "<option>forward_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:55
+#: pam_sss.8.xml:66
 msgid ""
 "If <option>forward_pass</option> is set the entered password is put on the "
 "stack for other PAM modules to use."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:62
+#: pam_sss.8.xml:73
 msgid "<option>use_first_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:65
+#: pam_sss.8.xml:76
 msgid ""
 "The argument use_first_pass forces the module to use a previous stacked "
 "modules password and will never prompt the user - if no password is "
@@ -3145,31 +3188,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:73
+#: pam_sss.8.xml:84
 msgid "<option>use_authtok</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:76
+#: pam_sss.8.xml:87
 msgid ""
 "When password changing enforce the module to set the new password to the one "
 "provided by a previously stacked password module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:83
+#: pam_sss.8.xml:94
 msgid "<option>retry=N</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:86
+#: pam_sss.8.xml:97
 msgid ""
 "If specified the user is asked another N times for a password if "
 "authentication fails. Default is 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:88
+#: pam_sss.8.xml:99
 msgid ""
 "Please note that this option might not work as expected if the application "
 "calling PAM handles the user dialog on its own. A typical example is "
@@ -3177,24 +3220,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:99
+#: pam_sss.8.xml:110
 msgid "MODULE TYPES PROVIDED"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:100
+#: pam_sss.8.xml:111
 msgid ""
 "All module types (<option>account</option>, <option>auth</option>, "
 "<option>password</option> and <option>session</option>) are provided."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:106
+#: pam_sss.8.xml:117
 msgid "FILES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:107
+#: pam_sss.8.xml:118
 msgid ""
 "If a password reset by root fails, because the corresponding SSSD provider "
 "does not support password resets, an individual message can be displayed. "
@@ -3202,7 +3245,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:112
+#: pam_sss.8.xml:123
 msgid ""
 "The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
 "filename> where LOC stands for a locale string returned by <citerefentry> "
@@ -3214,7 +3257,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:122
+#: pam_sss.8.xml:133
 msgid ""
 "These files are searched in the directory <filename>/etc/sssd/customize/"
 "DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
@@ -3222,7 +3265,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:130
+#: pam_sss.8.xml:141
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>8</"
 "manvolnum> </citerefentry>"
@@ -3482,11 +3525,11 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ipa.5.xml:83
 msgid ""
-"The list of IP addresses or hostnames of the IPA servers to which SSSD "
-"should connect in the order of preference. For more information on failover "
-"and server redundancy, see the <quote>FAILOVER</quote> section.  This is "
-"optional if autodiscovery is enabled.  For more information on service "
-"discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
+"The comma-separated list of IP addresses or hostnames of the IPA servers to "
+"which SSSD should connect in the order of preference. For more information "
+"on failover and server redundancy, see the <quote>FAILOVER</quote> section.  "
+"This is optional if autodiscovery is enabled.  For more information on "
+"service discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
@@ -4302,48 +4345,50 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:262
 msgid ""
-"Please note that this feature currently only available on a Linux platform."
+"Please note that this feature currently only available on a Linux platform. "
+"Passwords stored in this way are kept in plaintext in the kernel keyring and "
+"are potentially accessible by the root user (with difficulty)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:272
+#: sssd-krb5.5.xml:275
 msgid "krb5_renewable_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:275
+#: sssd-krb5.5.xml:278
 msgid ""
 "Request a renewable ticket with a total lifetime given by an integer "
 "immediately followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:280 sssd-krb5.5.xml:316
+#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
 msgid "<emphasis>s</emphasis> seconds"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
+#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
 msgid "<emphasis>m</emphasis> minutes"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
+#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
 msgid "<emphasis>h</emphasis> hours"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
+#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
 msgid "<emphasis>d</emphasis> days."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
+#: sssd-krb5.5.xml:295 sssd-krb5.5.xml:331
 msgid "If there is no delimiter <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:296
+#: sssd-krb5.5.xml:299
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "renewable lifetime to one and a half hours please use '90m' instead of "
@@ -4351,97 +4396,97 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:302
+#: sssd-krb5.5.xml:305
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:308
+#: sssd-krb5.5.xml:311
 msgid "krb5_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:311
+#: sssd-krb5.5.xml:314
 msgid ""
 "Request ticket with a with a lifetime given by an integer immediately "
 "followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:332
+#: sssd-krb5.5.xml:335
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "lifetime to one and a half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:337
+#: sssd-krb5.5.xml:340
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:344
+#: sssd-krb5.5.xml:347
 msgid "krb5_renew_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:347
+#: sssd-krb5.5.xml:350
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:352
+#: sssd-krb5.5.xml:355
 msgid "If this option is not set or 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:362
+#: sssd-krb5.5.xml:365
 msgid "krb5_use_fast (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:365
+#: sssd-krb5.5.xml:368
 msgid ""
 "Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
 "authentication. The following options are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:370
+#: sssd-krb5.5.xml:373
 msgid ""
 "<emphasis>never</emphasis> use FAST, this is equivalent to not set this "
 "option at all."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:374
+#: sssd-krb5.5.xml:377
 msgid ""
 "<emphasis>try</emphasis> to use FAST, if the server does not support fast "
 "continue without."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:378
+#: sssd-krb5.5.xml:381
 msgid ""
 "<emphasis>demand</emphasis> to use FAST, fail if the server does not require "
 "fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:382
+#: sssd-krb5.5.xml:385
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:385
+#: sssd-krb5.5.xml:388
 msgid "Please note that a keytab is required to use fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:388
+#: sssd-krb5.5.xml:391
 msgid ""
 "Please note also that sssd supports fast only with MIT Kerberos version 1.8 "
 "and above. If sssd used used with an older version using this option is a "
@@ -4459,7 +4504,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:407
+#: sssd-krb5.5.xml:410
 msgid ""
 "The following example assumes that SSSD is correctly configured and FOO is "
 "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
@@ -4468,7 +4513,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-krb5.5.xml:415
+#: sssd-krb5.5.xml:418
 #, no-wrap
 msgid ""
 "    [domain/FOO]\n"
@@ -4478,7 +4523,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:426
+#: sssd-krb5.5.xml:429
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
diff --git a/src/man/po/en_GB.po b/src/man/po/en_GB.po
index eaaf15dc..e8f8c91f 100644
--- a/src/man/po/en_GB.po
+++ b/src/man/po/en_GB.po
@@ -2,12 +2,13 @@
 # Copyright (C) YEAR Red Hat
 # This file is distributed under the same license as the sssd-docs package.
 #
+# Translators:
 msgid ""
 msgstr ""
 "Project-Id-Version: SSSD\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2011-08-29 10:42-0300\n"
-"PO-Revision-Date: 2011-08-05 11:39+0000\n"
+"POT-Creation-Date: 2011-10-18 13:34-0300\n"
+"PO-Revision-Date: 2010-12-23 15:35+0000\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: English (United Kingdom) (http://www.transifex.net/projects/p/"
 "fedora/team/en_GB/)\n"
@@ -53,7 +54,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:41
+#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:44
 #: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21
 #: sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_useradd.8.xml:30
 #: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30
@@ -69,7 +70,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:39 pam_sss.8.xml:48 sssd.8.xml:42 sss_obfuscate.8.xml:58
+#: sss_groupmod.8.xml:39 pam_sss.8.xml:51 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
 msgid "OPTIONS"
@@ -105,10 +106,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1106 sssd-ldap.5.xml:1432
-#: pam_sss.8.xml:128 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
+#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1130 sssd-ldap.5.xml:1432
+#: pam_sss.8.xml:139 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
 #: sssd-ipa.5.xml:248 sssd.8.xml:166 sss_obfuscate.8.xml:103
-#: sss_useradd.8.xml:167 sssd-krb5.5.xml:424 sss_groupadd.8.xml:58
+#: sss_useradd.8.xml:167 sssd-krb5.5.xml:427 sss_groupadd.8.xml:58
 #: sss_userdel.8.xml:93 sss_groupdel.8.xml:46 sss_groupshow.8.xml:58
 #: sss_usermod.8.xml:138
 msgid "SEE ALSO"
@@ -214,7 +215,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:70 sssd.conf.5.xml:952
+#: sssd.conf.5.xml:70 sssd.conf.5.xml:976
 msgid "Section parameters"
 msgstr ""
 
@@ -247,19 +248,19 @@ msgid "Supported services: nss, pam"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:93 sssd.conf.5.xml:234
+#: sssd.conf.5.xml:93 sssd.conf.5.xml:254
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:96 sssd.conf.5.xml:237
+#: sssd.conf.5.xml:96 sssd.conf.5.xml:257
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:101 sssd.conf.5.xml:242
+#: sssd.conf.5.xml:101 sssd.conf.5.xml:262
 msgid "Default: 3"
 msgstr ""
 
@@ -366,6 +367,32 @@ msgid ""
 "unavailable. On these platforms, polling will always be used."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:189
+msgid "krb5_rcache_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:192
+msgid ""
+"Directory on the filesystem where SSSD should store Kerberos replay cache "
+"files."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:196
+msgid ""
+"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
+"SSSD to let libkrb5 decide the appropriate location for the replay cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:202
+msgid ""
+"Default: Distribution-specific and specified at build-time. "
+"(__LIBKRB5_DEFAULTS__ if not configured)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:63
 msgid ""
@@ -378,12 +405,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:195
+#: sssd.conf.5.xml:215
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:197
+#: sssd.conf.5.xml:217
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -392,55 +419,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:204
+#: sssd.conf.5.xml:224
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:206
+#: sssd.conf.5.xml:226
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:210
+#: sssd.conf.5.xml:230
 msgid "debug_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:213
+#: sssd.conf.5.xml:233
 msgid ""
 "Sets the debug level for the service. The value can be in range from 0 (only "
 "critical messages) to 10 (very verbose)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:218 sssd.conf.5.xml:312
+#: sssd.conf.5.xml:238 sssd.conf.5.xml:332
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:223 sssd.8.xml:58
+#: sssd.conf.5.xml:243 sssd.8.xml:58
 msgid "debug_timestamps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:226 sssd.8.xml:61
+#: sssd.conf.5.xml:246 sssd.8.xml:61
 msgid "Add a timestamp to the debug messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:229 sssd.conf.5.xml:353 sssd-ldap.5.xml:1058
+#: sssd.conf.5.xml:249 sssd.conf.5.xml:373 sssd-ldap.5.xml:1058
 #: sssd-ldap.5.xml:1163 sssd-ipa.5.xml:155
 msgid "Default: true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:247
+#: sssd.conf.5.xml:267
 msgid "command (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:250
+#: sssd.conf.5.xml:270
 msgid ""
 "By default, the executable representing this service is called <command>sssd_"
 "${service_name}</command>.  This directive allows to change the executable "
@@ -449,45 +476,45 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:258
+#: sssd.conf.5.xml:278
 msgid "Default: <command>sssd_${service_name}</command>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:266
+#: sssd.conf.5.xml:286
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:268
+#: sssd.conf.5.xml:288
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:273
+#: sssd.conf.5.xml:293
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:276
+#: sssd.conf.5.xml:296
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:280
+#: sssd.conf.5.xml:300
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:285
+#: sssd.conf.5.xml:305
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:288
+#: sssd.conf.5.xml:308
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -495,7 +522,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:294
+#: sssd.conf.5.xml:314
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -505,7 +532,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304
+#: sssd.conf.5.xml:324
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -514,12 +541,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:317
+#: sssd.conf.5.xml:337
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:320
+#: sssd.conf.5.xml:340
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -527,17 +554,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:326 sssd-krb5.5.xml:223
+#: sssd.conf.5.xml:346 sssd-krb5.5.xml:223
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:331
+#: sssd.conf.5.xml:351
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:334
+#: sssd.conf.5.xml:354
 msgid ""
 "Exclude certain users from being fetched from the sss NSS database. This is "
 "particularly useful for system accounts. This option can also be set per-"
@@ -546,78 +573,78 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:341
+#: sssd.conf.5.xml:361
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:346
+#: sssd.conf.5.xml:366
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:369
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:358
+#: sssd.conf.5.xml:378
 msgid "override_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:367 sssd-krb5.5.xml:166
+#: sssd.conf.5.xml:387 sssd-krb5.5.xml:166
 msgid "%u"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:368 sssd-krb5.5.xml:167
+#: sssd.conf.5.xml:388 sssd-krb5.5.xml:167
 msgid "login name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:371 sssd-krb5.5.xml:170
+#: sssd.conf.5.xml:391 sssd-krb5.5.xml:170
 msgid "%U"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:392
 msgid "UID number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:375 sssd-krb5.5.xml:188
+#: sssd.conf.5.xml:395 sssd-krb5.5.xml:188
 msgid "%d"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:376
+#: sssd.conf.5.xml:396
 msgid "domain name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:379
+#: sssd.conf.5.xml:399
 msgid "%f"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:380
+#: sssd.conf.5.xml:400
 msgid "fully qualified user name (user@domain)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:383 sssd-krb5.5.xml:200
+#: sssd.conf.5.xml:403 sssd-krb5.5.xml:200
 msgid "%%"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:384 sssd-krb5.5.xml:201
+#: sssd.conf.5.xml:404 sssd-krb5.5.xml:201
 msgid "a literal '%'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:361
+#: sssd.conf.5.xml:381
 msgid ""
 "Override the user's home directory. You can either provide an absolute value "
 "or a template. In the template, the following sequences are substituted: "
@@ -625,138 +652,138 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:390
+#: sssd.conf.5.xml:410
 msgid "This option can also be set per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:395
+#: sssd.conf.5.xml:415
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:398
+#: sssd.conf.5.xml:418
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:401
+#: sssd.conf.5.xml:421
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:405
+#: sssd.conf.5.xml:425
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:410
+#: sssd.conf.5.xml:430
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:415
+#: sssd.conf.5.xml:435
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:418
+#: sssd.conf.5.xml:438
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:422
+#: sssd.conf.5.xml:442
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:427
+#: sssd.conf.5.xml:447
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:430
+#: sssd.conf.5.xml:450
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:435
+#: sssd.conf.5.xml:455
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:438
+#: sssd.conf.5.xml:458
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:442
+#: sssd.conf.5.xml:462
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:469
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:451
+#: sssd.conf.5.xml:471
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:456
+#: sssd.conf.5.xml:476
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:459
+#: sssd.conf.5.xml:479
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:464 sssd.conf.5.xml:477
+#: sssd.conf.5.xml:484 sssd.conf.5.xml:497
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:490
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:473
+#: sssd.conf.5.xml:493
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:483
+#: sssd.conf.5.xml:503
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:506
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:491
+#: sssd.conf.5.xml:511
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -764,59 +791,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:497 sssd.conf.5.xml:550 sssd.conf.5.xml:882
+#: sssd.conf.5.xml:517 sssd.conf.5.xml:570 sssd.conf.5.xml:906
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:523
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:506
+#: sssd.conf.5.xml:526
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:511
+#: sssd.conf.5.xml:531
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:514
+#: sssd.conf.5.xml:534
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:517
+#: sssd.conf.5.xml:537
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:541
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:524
+#: sssd.conf.5.xml:544
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:528
+#: sssd.conf.5.xml:548
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:533
+#: sssd.conf.5.xml:553
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:536
+#: sssd.conf.5.xml:556
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -824,7 +851,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:542
+#: sssd.conf.5.xml:562
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -833,17 +860,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:556
+#: sssd.conf.5.xml:576
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:559
+#: sssd.conf.5.xml:579
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:562
+#: sssd.conf.5.xml:582
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -851,29 +878,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:588
 msgid "Default: 7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:577
+#: sssd.conf.5.xml:597
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:584
+#: sssd.conf.5.xml:604
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:587
+#: sssd.conf.5.xml:607
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:592
+#: sssd.conf.5.xml:612
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -882,56 +909,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:599
+#: sssd.conf.5.xml:619
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:625
 msgid "timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:608
+#: sssd.conf.5.xml:628
 msgid ""
 "Timeout in seconds between heartbeats for this domain.  This is used to "
 "ensure that the backend process is alive and capable of answering requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:633
 msgid "Default: 10"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:639
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:642
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:626
+#: sssd.conf.5.xml:646
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:629
+#: sssd.conf.5.xml:649
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:632 sssd.conf.5.xml:680 sssd.conf.5.xml:734
+#: sssd.conf.5.xml:652 sssd.conf.5.xml:704 sssd.conf.5.xml:758
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:635
+#: sssd.conf.5.xml:655
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -941,14 +968,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:645
+#: sssd.conf.5.xml:665
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:650
+#: sssd.conf.5.xml:670
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -957,39 +984,44 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:661
+#: sssd.conf.5.xml:681
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:664
+#: sssd.conf.5.xml:684
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:688
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:693
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676
+#: sssd.conf.5.xml:696
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:700
+msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:685
+#: sssd.conf.5.xml:709
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:688
+#: sssd.conf.5.xml:712
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -998,47 +1030,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:695
+#: sssd.conf.5.xml:719
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:725
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:728
 msgid "The Data Provider identity backend to use for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:708
+#: sssd.conf.5.xml:732
 msgid "Supported backends:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:711
+#: sssd.conf.5.xml:735
 msgid "proxy: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:714
+#: sssd.conf.5.xml:738
 msgid "local: SSSD internal local provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:717
+#: sssd.conf.5.xml:741
 msgid "ldap: LDAP provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:747
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:750
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -1047,19 +1079,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:739
+#: sssd.conf.5.xml:763
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:766
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:746
+#: sssd.conf.5.xml:770
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1067,7 +1099,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:777
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1075,30 +1107,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:784
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:787
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:766
+#: sssd.conf.5.xml:790
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:796
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:775
+#: sssd.conf.5.xml:799
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -1106,17 +1138,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:781
+#: sssd.conf.5.xml:805
 msgid "<quote>permit</quote> always allow access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:784
+#: sssd.conf.5.xml:808
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:811
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -1125,24 +1157,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:818
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:823
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:826
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:831
 msgid ""
 "<quote>ipa</quote> to change a password stored in an IPA server.  See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -1150,7 +1182,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:815
+#: sssd.conf.5.xml:839
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -1158,7 +1190,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:823
+#: sssd.conf.5.xml:847
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1166,72 +1198,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:831
+#: sssd.conf.5.xml:855
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:835
+#: sssd.conf.5.xml:859
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838
+#: sssd.conf.5.xml:862
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:845
+#: sssd.conf.5.xml:869
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:848
+#: sssd.conf.5.xml:872
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:876
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:855
+#: sssd.conf.5.xml:879
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:858
+#: sssd.conf.5.xml:882
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:861
+#: sssd.conf.5.xml:885
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:864
+#: sssd.conf.5.xml:888
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:867
+#: sssd.conf.5.xml:891
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:873
+#: sssd.conf.5.xml:897
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:876
+#: sssd.conf.5.xml:900
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -1239,34 +1271,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:912
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:891
+#: sssd.conf.5.xml:915
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:919
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:901
+#: sssd.conf.5.xml:925
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:904
+#: sssd.conf.5.xml:928
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:579
+#: sssd.conf.5.xml:599
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -1274,29 +1306,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:940
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:943
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:922
+#: sssd.conf.5.xml:946
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:954
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:933
+#: sssd.conf.5.xml:957
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -1304,19 +1336,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:912
+#: sssd.conf.5.xml:936
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:945
+#: sssd.conf.5.xml:969
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:971
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -1324,73 +1356,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:954
+#: sssd.conf.5.xml:978
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:981
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:985
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:966
+#: sssd.conf.5.xml:990
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:969
+#: sssd.conf.5.xml:993
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974
+#: sssd.conf.5.xml:998
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1003
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1006
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986 sssd.conf.5.xml:998
+#: sssd.conf.5.xml:1010 sssd.conf.5.xml:1022
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:991
+#: sssd.conf.5.xml:1015
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:994
+#: sssd.conf.5.xml:1018
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1003
+#: sssd.conf.5.xml:1027
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1030
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -1398,17 +1430,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014
+#: sssd.conf.5.xml:1038
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1043
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1022
+#: sssd.conf.5.xml:1046
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -1417,17 +1449,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:1056
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1037
+#: sssd.conf.5.xml:1061
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1040
+#: sssd.conf.5.xml:1064
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -1435,17 +1467,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1047
+#: sssd.conf.5.xml:1071
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1076
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1055
+#: sssd.conf.5.xml:1079
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -1453,18 +1485,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1061
+#: sssd.conf.5.xml:1085
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1071 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
-#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:405
+#: sssd.conf.5.xml:1095 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
+#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:408
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:1077
+#: sssd.conf.5.xml:1101
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -1494,7 +1526,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1073
+#: sssd.conf.5.xml:1097
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -1503,7 +1535,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1108
+#: sssd.conf.5.xml:1132
 msgid ""
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
@@ -1603,10 +1635,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:88
 msgid ""
-"Specifies the list of URIs of the LDAP servers to which SSSD should connect "
-"in the order of preference to change the password of a user. Refer to the "
-"<quote>FAILOVER</quote> section for more information on failover and server "
-"redundancy."
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference to change the password of a user. "
+"Refer to the <quote>FAILOVER</quote> section for more information on "
+"failover and server redundancy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -2086,7 +2118,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:519 sssd-ldap.5.xml:990 sssd-ipa.5.xml:115 sssd.8.xml:64
-#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:266
+#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:269
 msgid "Default: false"
 msgstr ""
 
@@ -2527,7 +2559,7 @@ msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:356
+#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:359
 msgid "Default: not set"
 msgstr ""
 
@@ -2668,12 +2700,13 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:1080 sssd-krb5.5.xml:77
 msgid ""
-"Specifies the list of IP addresses or hostnames of the Kerberos servers to "
-"which SSSD should connect in the order of preference. For more information "
-"on failover and server redundancy, see the <quote>FAILOVER</quote> section. "
-"An optional port number (preceded by a colon) may be appended to the "
-"addresses or hostnames.  If empty, service discovery is enabled - for more "
-"information, refer to the <quote>SERVICE DISCOVERY</quote> section."
+"Specifies the comma-separated list of IP addresses or hostnames of the "
+"Kerberos servers to which SSSD should connect in the order of preference. "
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
+"colon) may be appended to the addresses or hostnames.  If empty, service "
+"discovery is enabled - for more information, refer to the <quote>SERVICE "
+"DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -3058,7 +3091,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ldap.5.xml:1407 sssd-simple.5.xml:134 sssd-ipa.5.xml:238
-#: sssd-krb5.5.xml:414
+#: sssd-krb5.5.xml:417
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -3105,7 +3138,8 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
 #: pam_sss.8.xml:24
 msgid ""
-"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>forward_pass</"
+"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
@@ -3113,7 +3147,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:42
+#: pam_sss.8.xml:45
 msgid ""
 "<command>pam_sss.so</command> is the PAM interface to the System Security "
 "Services daemon (SSSD). Errors and results are logged through <command>syslog"
@@ -3121,24 +3155,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:52
+#: pam_sss.8.xml:55
+msgid "<option>quiet</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:58
+msgid "Suppress log messages for unknown users."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:63
 msgid "<option>forward_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:55
+#: pam_sss.8.xml:66
 msgid ""
 "If <option>forward_pass</option> is set the entered password is put on the "
 "stack for other PAM modules to use."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:62
+#: pam_sss.8.xml:73
 msgid "<option>use_first_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:65
+#: pam_sss.8.xml:76
 msgid ""
 "The argument use_first_pass forces the module to use a previous stacked "
 "modules password and will never prompt the user - if no password is "
@@ -3146,31 +3190,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:73
+#: pam_sss.8.xml:84
 msgid "<option>use_authtok</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:76
+#: pam_sss.8.xml:87
 msgid ""
 "When password changing enforce the module to set the new password to the one "
 "provided by a previously stacked password module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:83
+#: pam_sss.8.xml:94
 msgid "<option>retry=N</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:86
+#: pam_sss.8.xml:97
 msgid ""
 "If specified the user is asked another N times for a password if "
 "authentication fails. Default is 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:88
+#: pam_sss.8.xml:99
 msgid ""
 "Please note that this option might not work as expected if the application "
 "calling PAM handles the user dialog on its own. A typical example is "
@@ -3178,24 +3222,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:99
+#: pam_sss.8.xml:110
 msgid "MODULE TYPES PROVIDED"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:100
+#: pam_sss.8.xml:111
 msgid ""
 "All module types (<option>account</option>, <option>auth</option>, "
 "<option>password</option> and <option>session</option>) are provided."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:106
+#: pam_sss.8.xml:117
 msgid "FILES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:107
+#: pam_sss.8.xml:118
 msgid ""
 "If a password reset by root fails, because the corresponding SSSD provider "
 "does not support password resets, an individual message can be displayed. "
@@ -3203,7 +3247,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:112
+#: pam_sss.8.xml:123
 msgid ""
 "The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
 "filename> where LOC stands for a locale string returned by <citerefentry> "
@@ -3215,7 +3259,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:122
+#: pam_sss.8.xml:133
 msgid ""
 "These files are searched in the directory <filename>/etc/sssd/customize/"
 "DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
@@ -3223,7 +3267,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:130
+#: pam_sss.8.xml:141
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>8</"
 "manvolnum> </citerefentry>"
@@ -3483,11 +3527,11 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ipa.5.xml:83
 msgid ""
-"The list of IP addresses or hostnames of the IPA servers to which SSSD "
-"should connect in the order of preference. For more information on failover "
-"and server redundancy, see the <quote>FAILOVER</quote> section.  This is "
-"optional if autodiscovery is enabled.  For more information on service "
-"discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
+"The comma-separated list of IP addresses or hostnames of the IPA servers to "
+"which SSSD should connect in the order of preference. For more information "
+"on failover and server redundancy, see the <quote>FAILOVER</quote> section.  "
+"This is optional if autodiscovery is enabled.  For more information on "
+"service discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
@@ -4303,48 +4347,50 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:262
 msgid ""
-"Please note that this feature currently only available on a Linux platform."
+"Please note that this feature currently only available on a Linux platform. "
+"Passwords stored in this way are kept in plaintext in the kernel keyring and "
+"are potentially accessible by the root user (with difficulty)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:272
+#: sssd-krb5.5.xml:275
 msgid "krb5_renewable_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:275
+#: sssd-krb5.5.xml:278
 msgid ""
 "Request a renewable ticket with a total lifetime given by an integer "
 "immediately followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:280 sssd-krb5.5.xml:316
+#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
 msgid "<emphasis>s</emphasis> seconds"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
+#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
 msgid "<emphasis>m</emphasis> minutes"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
+#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
 msgid "<emphasis>h</emphasis> hours"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
+#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
 msgid "<emphasis>d</emphasis> days."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
+#: sssd-krb5.5.xml:295 sssd-krb5.5.xml:331
 msgid "If there is no delimiter <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:296
+#: sssd-krb5.5.xml:299
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "renewable lifetime to one and a half hours please use '90m' instead of "
@@ -4352,97 +4398,97 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:302
+#: sssd-krb5.5.xml:305
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:308
+#: sssd-krb5.5.xml:311
 msgid "krb5_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:311
+#: sssd-krb5.5.xml:314
 msgid ""
 "Request ticket with a with a lifetime given by an integer immediately "
 "followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:332
+#: sssd-krb5.5.xml:335
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "lifetime to one and a half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:337
+#: sssd-krb5.5.xml:340
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:344
+#: sssd-krb5.5.xml:347
 msgid "krb5_renew_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:347
+#: sssd-krb5.5.xml:350
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:352
+#: sssd-krb5.5.xml:355
 msgid "If this option is not set or 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:362
+#: sssd-krb5.5.xml:365
 msgid "krb5_use_fast (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:365
+#: sssd-krb5.5.xml:368
 msgid ""
 "Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
 "authentication. The following options are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:370
+#: sssd-krb5.5.xml:373
 msgid ""
 "<emphasis>never</emphasis> use FAST, this is equivalent to not set this "
 "option at all."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:374
+#: sssd-krb5.5.xml:377
 msgid ""
 "<emphasis>try</emphasis> to use FAST, if the server does not support fast "
 "continue without."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:378
+#: sssd-krb5.5.xml:381
 msgid ""
 "<emphasis>demand</emphasis> to use FAST, fail if the server does not require "
 "fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:382
+#: sssd-krb5.5.xml:385
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:385
+#: sssd-krb5.5.xml:388
 msgid "Please note that a keytab is required to use fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:388
+#: sssd-krb5.5.xml:391
 msgid ""
 "Please note also that sssd supports fast only with MIT Kerberos version 1.8 "
 "and above. If sssd used used with an older version using this option is a "
@@ -4460,7 +4506,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:407
+#: sssd-krb5.5.xml:410
 msgid ""
 "The following example assumes that SSSD is correctly configured and FOO is "
 "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
@@ -4469,7 +4515,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-krb5.5.xml:415
+#: sssd-krb5.5.xml:418
 #, no-wrap
 msgid ""
 "    [domain/FOO]\n"
@@ -4479,7 +4525,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:426
+#: sssd-krb5.5.xml:429
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
diff --git a/src/man/po/es.po b/src/man/po/es.po
index a6babf16..0006eac7 100644
--- a/src/man/po/es.po
+++ b/src/man/po/es.po
@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: SSSD\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2011-08-29 10:42-0300\n"
+"POT-Creation-Date: 2011-10-18 13:34-0300\n"
 "PO-Revision-Date: 2011-03-10 00:18+0000\n"
 "Last-Translator: sgallagh <sgallagh@redhat.com>\n"
 "Language-Team: Spanish (Castilian) <None>\n"
@@ -56,7 +56,7 @@ msgstr ""
 "arg>"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:41
+#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:44
 #: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21
 #: sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_useradd.8.xml:30
 #: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30
@@ -74,7 +74,7 @@ msgstr ""
 "indicados en la línea de comandos."
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:39 pam_sss.8.xml:48 sssd.8.xml:42 sss_obfuscate.8.xml:58
+#: sss_groupmod.8.xml:39 pam_sss.8.xml:51 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
 msgid "OPTIONS"
@@ -119,10 +119,10 @@ msgstr ""
 "<replaceable>GROUPS</replaceable>"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1106 sssd-ldap.5.xml:1432
-#: pam_sss.8.xml:128 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
+#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1130 sssd-ldap.5.xml:1432
+#: pam_sss.8.xml:139 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
 #: sssd-ipa.5.xml:248 sssd.8.xml:166 sss_obfuscate.8.xml:103
-#: sss_useradd.8.xml:167 sssd-krb5.5.xml:424 sss_groupadd.8.xml:58
+#: sss_useradd.8.xml:167 sssd-krb5.5.xml:427 sss_groupadd.8.xml:58
 #: sss_userdel.8.xml:93 sss_groupdel.8.xml:46 sss_groupshow.8.xml:58
 #: sss_usermod.8.xml:138
 msgid "SEE ALSO"
@@ -256,7 +256,7 @@ msgid "The [sssd] section"
 msgstr "La sección [sssd]"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:70 sssd.conf.5.xml:952
+#: sssd.conf.5.xml:70 sssd.conf.5.xml:976
 msgid "Section parameters"
 msgstr "Parámetros de sección"
 
@@ -293,12 +293,12 @@ msgid "Supported services: nss, pam"
 msgstr "Servicios soportados: nss, pam"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:93 sssd.conf.5.xml:234
+#: sssd.conf.5.xml:93 sssd.conf.5.xml:254
 msgid "reconnection_retries (integer)"
 msgstr "reconnection_retries (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:96 sssd.conf.5.xml:237
+#: sssd.conf.5.xml:96 sssd.conf.5.xml:257
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
@@ -307,7 +307,7 @@ msgstr ""
 "de datos del  proveedor, o de reiniciarse antes de abandonar"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:101 sssd.conf.5.xml:242
+#: sssd.conf.5.xml:101 sssd.conf.5.xml:262
 msgid "Default: 3"
 msgstr "Predeterminado: 3"
 
@@ -441,6 +441,34 @@ msgstr ""
 "encuenytre disponible. En estas plataformas, la consulta (polling) será "
 "utilizada siempre."
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:189
+#, fuzzy
+#| msgid "re_expression (string)"
+msgid "krb5_rcache_dir (string)"
+msgstr "re_expression (cadena)"
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:192
+msgid ""
+"Directory on the filesystem where SSSD should store Kerberos replay cache "
+"files."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:196
+msgid ""
+"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
+"SSSD to let libkrb5 decide the appropriate location for the replay cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:202
+msgid ""
+"Default: Distribution-specific and specified at build-time. "
+"(__LIBKRB5_DEFAULTS__ if not configured)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:63
 msgid ""
@@ -453,12 +481,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:195
+#: sssd.conf.5.xml:215
 msgid "SERVICES SECTIONS"
 msgstr "SECCIONES DE SERVICIOS"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:197
+#: sssd.conf.5.xml:217
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -467,55 +495,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:204
+#: sssd.conf.5.xml:224
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:206
+#: sssd.conf.5.xml:226
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:210
+#: sssd.conf.5.xml:230
 msgid "debug_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:213
+#: sssd.conf.5.xml:233
 msgid ""
 "Sets the debug level for the service. The value can be in range from 0 (only "
 "critical messages) to 10 (very verbose)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:218 sssd.conf.5.xml:312
+#: sssd.conf.5.xml:238 sssd.conf.5.xml:332
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:223 sssd.8.xml:58
+#: sssd.conf.5.xml:243 sssd.8.xml:58
 msgid "debug_timestamps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:226 sssd.8.xml:61
+#: sssd.conf.5.xml:246 sssd.8.xml:61
 msgid "Add a timestamp to the debug messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:229 sssd.conf.5.xml:353 sssd-ldap.5.xml:1058
+#: sssd.conf.5.xml:249 sssd.conf.5.xml:373 sssd-ldap.5.xml:1058
 #: sssd-ldap.5.xml:1163 sssd-ipa.5.xml:155
 msgid "Default: true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:247
+#: sssd.conf.5.xml:267
 msgid "command (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:250
+#: sssd.conf.5.xml:270
 msgid ""
 "By default, the executable representing this service is called <command>sssd_"
 "${service_name}</command>.  This directive allows to change the executable "
@@ -524,45 +552,45 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:258
+#: sssd.conf.5.xml:278
 msgid "Default: <command>sssd_${service_name}</command>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:266
+#: sssd.conf.5.xml:286
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:268
+#: sssd.conf.5.xml:288
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:273
+#: sssd.conf.5.xml:293
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:276
+#: sssd.conf.5.xml:296
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:280
+#: sssd.conf.5.xml:300
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:285
+#: sssd.conf.5.xml:305
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:288
+#: sssd.conf.5.xml:308
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -570,7 +598,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:294
+#: sssd.conf.5.xml:314
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -580,7 +608,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304
+#: sssd.conf.5.xml:324
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -589,12 +617,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:317
+#: sssd.conf.5.xml:337
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:320
+#: sssd.conf.5.xml:340
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -602,17 +630,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:326 sssd-krb5.5.xml:223
+#: sssd.conf.5.xml:346 sssd-krb5.5.xml:223
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:331
+#: sssd.conf.5.xml:351
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:334
+#: sssd.conf.5.xml:354
 msgid ""
 "Exclude certain users from being fetched from the sss NSS database. This is "
 "particularly useful for system accounts. This option can also be set per-"
@@ -621,80 +649,80 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:341
+#: sssd.conf.5.xml:361
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:346
+#: sssd.conf.5.xml:366
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:369
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:358
+#: sssd.conf.5.xml:378
 msgid "override_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:367 sssd-krb5.5.xml:166
+#: sssd.conf.5.xml:387 sssd-krb5.5.xml:166
 msgid "%u"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:368 sssd-krb5.5.xml:167
+#: sssd.conf.5.xml:388 sssd-krb5.5.xml:167
 msgid "login name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:371 sssd-krb5.5.xml:170
+#: sssd.conf.5.xml:391 sssd-krb5.5.xml:170
 msgid "%U"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:392
 msgid "UID number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:375 sssd-krb5.5.xml:188
+#: sssd.conf.5.xml:395 sssd-krb5.5.xml:188
 msgid "%d"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:376
+#: sssd.conf.5.xml:396
 #, fuzzy
 #| msgid "domains"
 msgid "domain name"
 msgstr "dominios"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:379
+#: sssd.conf.5.xml:399
 msgid "%f"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:380
+#: sssd.conf.5.xml:400
 msgid "fully qualified user name (user@domain)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:383 sssd-krb5.5.xml:200
+#: sssd.conf.5.xml:403 sssd-krb5.5.xml:200
 msgid "%%"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:384 sssd-krb5.5.xml:201
+#: sssd.conf.5.xml:404 sssd-krb5.5.xml:201
 msgid "a literal '%'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:361
+#: sssd.conf.5.xml:381
 msgid ""
 "Override the user's home directory. You can either provide an absolute value "
 "or a template. In the template, the following sequences are substituted: "
@@ -702,140 +730,140 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:390
+#: sssd.conf.5.xml:410
 msgid "This option can also be set per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:395
+#: sssd.conf.5.xml:415
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:398
+#: sssd.conf.5.xml:418
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:401
+#: sssd.conf.5.xml:421
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:405
+#: sssd.conf.5.xml:425
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:410
+#: sssd.conf.5.xml:430
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:415
+#: sssd.conf.5.xml:435
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:418
+#: sssd.conf.5.xml:438
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:422
+#: sssd.conf.5.xml:442
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:427
+#: sssd.conf.5.xml:447
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:430
+#: sssd.conf.5.xml:450
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:435
+#: sssd.conf.5.xml:455
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:438
+#: sssd.conf.5.xml:458
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:442
+#: sssd.conf.5.xml:462
 #, fuzzy
 #| msgid "Default: 3"
 msgid "Default: /bin/sh"
 msgstr "Predeterminado: 3"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:469
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:451
+#: sssd.conf.5.xml:471
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:456
+#: sssd.conf.5.xml:476
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:459
+#: sssd.conf.5.xml:479
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:464 sssd.conf.5.xml:477
+#: sssd.conf.5.xml:484 sssd.conf.5.xml:497
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:490
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:473
+#: sssd.conf.5.xml:493
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:483
+#: sssd.conf.5.xml:503
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:506
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:491
+#: sssd.conf.5.xml:511
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -843,59 +871,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:497 sssd.conf.5.xml:550 sssd.conf.5.xml:882
+#: sssd.conf.5.xml:517 sssd.conf.5.xml:570 sssd.conf.5.xml:906
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:523
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:506
+#: sssd.conf.5.xml:526
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:511
+#: sssd.conf.5.xml:531
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:514
+#: sssd.conf.5.xml:534
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:517
+#: sssd.conf.5.xml:537
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:541
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:524
+#: sssd.conf.5.xml:544
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:528
+#: sssd.conf.5.xml:548
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:533
+#: sssd.conf.5.xml:553
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:536
+#: sssd.conf.5.xml:556
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -903,7 +931,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:542
+#: sssd.conf.5.xml:562
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -912,17 +940,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:556
+#: sssd.conf.5.xml:576
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:559
+#: sssd.conf.5.xml:579
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:562
+#: sssd.conf.5.xml:582
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -930,29 +958,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:588
 msgid "Default: 7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:577
+#: sssd.conf.5.xml:597
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:584
+#: sssd.conf.5.xml:604
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:587
+#: sssd.conf.5.xml:607
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:592
+#: sssd.conf.5.xml:612
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -961,56 +989,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:599
+#: sssd.conf.5.xml:619
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:625
 msgid "timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:608
+#: sssd.conf.5.xml:628
 msgid ""
 "Timeout in seconds between heartbeats for this domain.  This is used to "
 "ensure that the backend process is alive and capable of answering requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:633
 msgid "Default: 10"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:639
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:642
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:626
+#: sssd.conf.5.xml:646
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:629
+#: sssd.conf.5.xml:649
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:632 sssd.conf.5.xml:680 sssd.conf.5.xml:734
+#: sssd.conf.5.xml:652 sssd.conf.5.xml:704 sssd.conf.5.xml:758
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:635
+#: sssd.conf.5.xml:655
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -1020,14 +1048,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:645
+#: sssd.conf.5.xml:665
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:650
+#: sssd.conf.5.xml:670
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -1036,39 +1064,44 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:661
+#: sssd.conf.5.xml:681
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:664
+#: sssd.conf.5.xml:684
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:688
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:693
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676
+#: sssd.conf.5.xml:696
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:700
+msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:685
+#: sssd.conf.5.xml:709
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:688
+#: sssd.conf.5.xml:712
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -1077,47 +1110,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:695
+#: sssd.conf.5.xml:719
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:725
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:728
 msgid "The Data Provider identity backend to use for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:708
+#: sssd.conf.5.xml:732
 msgid "Supported backends:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:711
+#: sssd.conf.5.xml:735
 msgid "proxy: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:714
+#: sssd.conf.5.xml:738
 msgid "local: SSSD internal local provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:717
+#: sssd.conf.5.xml:741
 msgid "ldap: LDAP provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:747
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:750
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -1126,19 +1159,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:739
+#: sssd.conf.5.xml:763
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:766
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:746
+#: sssd.conf.5.xml:770
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1146,7 +1179,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:777
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1154,30 +1187,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:784
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:787
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:766
+#: sssd.conf.5.xml:790
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:796
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:775
+#: sssd.conf.5.xml:799
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -1185,17 +1218,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:781
+#: sssd.conf.5.xml:805
 msgid "<quote>permit</quote> always allow access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:784
+#: sssd.conf.5.xml:808
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:811
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -1204,24 +1237,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:818
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:823
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:826
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:831
 msgid ""
 "<quote>ipa</quote> to change a password stored in an IPA server.  See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -1229,7 +1262,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:815
+#: sssd.conf.5.xml:839
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -1237,7 +1270,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:823
+#: sssd.conf.5.xml:847
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1245,72 +1278,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:831
+#: sssd.conf.5.xml:855
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:835
+#: sssd.conf.5.xml:859
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838
+#: sssd.conf.5.xml:862
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:845
+#: sssd.conf.5.xml:869
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:848
+#: sssd.conf.5.xml:872
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:876
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:855
+#: sssd.conf.5.xml:879
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:858
+#: sssd.conf.5.xml:882
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:861
+#: sssd.conf.5.xml:885
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:864
+#: sssd.conf.5.xml:888
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:867
+#: sssd.conf.5.xml:891
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:873
+#: sssd.conf.5.xml:897
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:876
+#: sssd.conf.5.xml:900
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -1318,36 +1351,36 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:912
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:891
+#: sssd.conf.5.xml:915
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:919
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:901
+#: sssd.conf.5.xml:925
 #, fuzzy
 #| msgid "reconnection_retries (integer)"
 msgid "override_gid (integer)"
 msgstr "reconnection_retries (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:904
+#: sssd.conf.5.xml:928
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:579
+#: sssd.conf.5.xml:599
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -1355,29 +1388,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:940
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:943
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:922
+#: sssd.conf.5.xml:946
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:954
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:933
+#: sssd.conf.5.xml:957
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -1385,19 +1418,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:912
+#: sssd.conf.5.xml:936
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:945
+#: sssd.conf.5.xml:969
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:971
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -1405,73 +1438,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:954
+#: sssd.conf.5.xml:978
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:981
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:985
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:966
+#: sssd.conf.5.xml:990
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:969
+#: sssd.conf.5.xml:993
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974
+#: sssd.conf.5.xml:998
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1003
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1006
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986 sssd.conf.5.xml:998
+#: sssd.conf.5.xml:1010 sssd.conf.5.xml:1022
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:991
+#: sssd.conf.5.xml:1015
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:994
+#: sssd.conf.5.xml:1018
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1003
+#: sssd.conf.5.xml:1027
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1030
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -1479,17 +1512,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014
+#: sssd.conf.5.xml:1038
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1043
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1022
+#: sssd.conf.5.xml:1046
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -1498,17 +1531,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:1056
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1037
+#: sssd.conf.5.xml:1061
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1040
+#: sssd.conf.5.xml:1064
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -1516,17 +1549,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1047
+#: sssd.conf.5.xml:1071
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1076
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1055
+#: sssd.conf.5.xml:1079
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -1534,18 +1567,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1061
+#: sssd.conf.5.xml:1085
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1071 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
-#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:405
+#: sssd.conf.5.xml:1095 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
+#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:408
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:1077
+#: sssd.conf.5.xml:1101
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -1575,7 +1608,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1073
+#: sssd.conf.5.xml:1097
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -1584,7 +1617,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1108
+#: sssd.conf.5.xml:1132
 msgid ""
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
@@ -1684,10 +1717,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:88
 msgid ""
-"Specifies the list of URIs of the LDAP servers to which SSSD should connect "
-"in the order of preference to change the password of a user. Refer to the "
-"<quote>FAILOVER</quote> section for more information on failover and server "
-"redundancy."
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference to change the password of a user. "
+"Refer to the <quote>FAILOVER</quote> section for more information on "
+"failover and server redundancy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -2169,7 +2202,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:519 sssd-ldap.5.xml:990 sssd-ipa.5.xml:115 sssd.8.xml:64
-#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:266
+#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:269
 msgid "Default: false"
 msgstr ""
 
@@ -2612,7 +2645,7 @@ msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:356
+#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:359
 msgid "Default: not set"
 msgstr ""
 
@@ -2755,12 +2788,13 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:1080 sssd-krb5.5.xml:77
 msgid ""
-"Specifies the list of IP addresses or hostnames of the Kerberos servers to "
-"which SSSD should connect in the order of preference. For more information "
-"on failover and server redundancy, see the <quote>FAILOVER</quote> section. "
-"An optional port number (preceded by a colon) may be appended to the "
-"addresses or hostnames.  If empty, service discovery is enabled - for more "
-"information, refer to the <quote>SERVICE DISCOVERY</quote> section."
+"Specifies the comma-separated list of IP addresses or hostnames of the "
+"Kerberos servers to which SSSD should connect in the order of preference. "
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
+"colon) may be appended to the addresses or hostnames.  If empty, service "
+"discovery is enabled - for more information, refer to the <quote>SERVICE "
+"DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -3145,7 +3179,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ldap.5.xml:1407 sssd-simple.5.xml:134 sssd-ipa.5.xml:238
-#: sssd-krb5.5.xml:414
+#: sssd-krb5.5.xml:417
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -3192,7 +3226,8 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
 #: pam_sss.8.xml:24
 msgid ""
-"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>forward_pass</"
+"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
@@ -3200,7 +3235,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:42
+#: pam_sss.8.xml:45
 msgid ""
 "<command>pam_sss.so</command> is the PAM interface to the System Security "
 "Services daemon (SSSD). Errors and results are logged through <command>syslog"
@@ -3208,24 +3243,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:52
+#: pam_sss.8.xml:55
+msgid "<option>quiet</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:58
+msgid "Suppress log messages for unknown users."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:63
 msgid "<option>forward_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:55
+#: pam_sss.8.xml:66
 msgid ""
 "If <option>forward_pass</option> is set the entered password is put on the "
 "stack for other PAM modules to use."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:62
+#: pam_sss.8.xml:73
 msgid "<option>use_first_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:65
+#: pam_sss.8.xml:76
 msgid ""
 "The argument use_first_pass forces the module to use a previous stacked "
 "modules password and will never prompt the user - if no password is "
@@ -3233,31 +3278,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:73
+#: pam_sss.8.xml:84
 msgid "<option>use_authtok</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:76
+#: pam_sss.8.xml:87
 msgid ""
 "When password changing enforce the module to set the new password to the one "
 "provided by a previously stacked password module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:83
+#: pam_sss.8.xml:94
 msgid "<option>retry=N</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:86
+#: pam_sss.8.xml:97
 msgid ""
 "If specified the user is asked another N times for a password if "
 "authentication fails. Default is 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:88
+#: pam_sss.8.xml:99
 msgid ""
 "Please note that this option might not work as expected if the application "
 "calling PAM handles the user dialog on its own. A typical example is "
@@ -3265,24 +3310,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:99
+#: pam_sss.8.xml:110
 msgid "MODULE TYPES PROVIDED"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:100
+#: pam_sss.8.xml:111
 msgid ""
 "All module types (<option>account</option>, <option>auth</option>, "
 "<option>password</option> and <option>session</option>) are provided."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:106
+#: pam_sss.8.xml:117
 msgid "FILES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:107
+#: pam_sss.8.xml:118
 msgid ""
 "If a password reset by root fails, because the corresponding SSSD provider "
 "does not support password resets, an individual message can be displayed. "
@@ -3290,7 +3335,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:112
+#: pam_sss.8.xml:123
 msgid ""
 "The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
 "filename> where LOC stands for a locale string returned by <citerefentry> "
@@ -3302,7 +3347,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:122
+#: pam_sss.8.xml:133
 msgid ""
 "These files are searched in the directory <filename>/etc/sssd/customize/"
 "DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
@@ -3310,7 +3355,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:130
+#: pam_sss.8.xml:141
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>8</"
 "manvolnum> </citerefentry>"
@@ -3570,11 +3615,11 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ipa.5.xml:83
 msgid ""
-"The list of IP addresses or hostnames of the IPA servers to which SSSD "
-"should connect in the order of preference. For more information on failover "
-"and server redundancy, see the <quote>FAILOVER</quote> section.  This is "
-"optional if autodiscovery is enabled.  For more information on service "
-"discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
+"The comma-separated list of IP addresses or hostnames of the IPA servers to "
+"which SSSD should connect in the order of preference. For more information "
+"on failover and server redundancy, see the <quote>FAILOVER</quote> section.  "
+"This is optional if autodiscovery is enabled.  For more information on "
+"service discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
@@ -4396,48 +4441,50 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:262
 msgid ""
-"Please note that this feature currently only available on a Linux platform."
+"Please note that this feature currently only available on a Linux platform. "
+"Passwords stored in this way are kept in plaintext in the kernel keyring and "
+"are potentially accessible by the root user (with difficulty)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:272
+#: sssd-krb5.5.xml:275
 msgid "krb5_renewable_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:275
+#: sssd-krb5.5.xml:278
 msgid ""
 "Request a renewable ticket with a total lifetime given by an integer "
 "immediately followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:280 sssd-krb5.5.xml:316
+#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
 msgid "<emphasis>s</emphasis> seconds"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
+#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
 msgid "<emphasis>m</emphasis> minutes"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
+#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
 msgid "<emphasis>h</emphasis> hours"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
+#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
 msgid "<emphasis>d</emphasis> days."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
+#: sssd-krb5.5.xml:295 sssd-krb5.5.xml:331
 msgid "If there is no delimiter <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:296
+#: sssd-krb5.5.xml:299
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "renewable lifetime to one and a half hours please use '90m' instead of "
@@ -4445,97 +4492,97 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:302
+#: sssd-krb5.5.xml:305
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:308
+#: sssd-krb5.5.xml:311
 msgid "krb5_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:311
+#: sssd-krb5.5.xml:314
 msgid ""
 "Request ticket with a with a lifetime given by an integer immediately "
 "followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:332
+#: sssd-krb5.5.xml:335
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "lifetime to one and a half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:337
+#: sssd-krb5.5.xml:340
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:344
+#: sssd-krb5.5.xml:347
 msgid "krb5_renew_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:347
+#: sssd-krb5.5.xml:350
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:352
+#: sssd-krb5.5.xml:355
 msgid "If this option is not set or 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:362
+#: sssd-krb5.5.xml:365
 msgid "krb5_use_fast (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:365
+#: sssd-krb5.5.xml:368
 msgid ""
 "Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
 "authentication. The following options are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:370
+#: sssd-krb5.5.xml:373
 msgid ""
 "<emphasis>never</emphasis> use FAST, this is equivalent to not set this "
 "option at all."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:374
+#: sssd-krb5.5.xml:377
 msgid ""
 "<emphasis>try</emphasis> to use FAST, if the server does not support fast "
 "continue without."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:378
+#: sssd-krb5.5.xml:381
 msgid ""
 "<emphasis>demand</emphasis> to use FAST, fail if the server does not require "
 "fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:382
+#: sssd-krb5.5.xml:385
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:385
+#: sssd-krb5.5.xml:388
 msgid "Please note that a keytab is required to use fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:388
+#: sssd-krb5.5.xml:391
 msgid ""
 "Please note also that sssd supports fast only with MIT Kerberos version 1.8 "
 "and above. If sssd used used with an older version using this option is a "
@@ -4553,7 +4600,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:407
+#: sssd-krb5.5.xml:410
 msgid ""
 "The following example assumes that SSSD is correctly configured and FOO is "
 "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
@@ -4562,7 +4609,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-krb5.5.xml:415
+#: sssd-krb5.5.xml:418
 #, no-wrap
 msgid ""
 "    [domain/FOO]\n"
@@ -4572,7 +4619,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:426
+#: sssd-krb5.5.xml:429
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
diff --git a/src/man/po/et.po b/src/man/po/et.po
new file mode 100644
index 00000000..4533bbad
--- /dev/null
+++ b/src/man/po/et.po
@@ -0,0 +1,4992 @@
+# SOME DESCRIPTIVE TITLE
+# Copyright (C) YEAR Red Hat
+# This file is distributed under the same license as the sssd-docs package.
+#
+# Translators:
+msgid ""
+msgstr ""
+"Project-Id-Version: SSSD\n"
+"Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
+"POT-Creation-Date: 2011-10-18 13:34-0300\n"
+"PO-Revision-Date: 2010-12-23 15:35+0000\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: Estonian (http://www.transifex.net/projects/p/fedora/team/"
+"et/)\n"
+"Language: et\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"Plural-Forms: nplurals=2; plural=(n != 1)\n"
+
+#. type: Content of: <reference><title>
+#: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5
+#: sssd_krb5_locator_plugin.8.xml:5 sssd-simple.5.xml:5 sssd-ipa.5.xml:5
+#: sssd.8.xml:5 sss_obfuscate.8.xml:5 sss_useradd.8.xml:5 sssd-krb5.5.xml:5
+#: sss_groupadd.8.xml:5 sss_userdel.8.xml:5 sss_groupdel.8.xml:5
+#: sss_groupshow.8.xml:5 sss_usermod.8.xml:5
+msgid "SSSD Manual pages"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sss_groupmod.8.xml:10 sss_groupmod.8.xml:15
+msgid "sss_groupmod"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refmeta><manvolnum>
+#: sss_groupmod.8.xml:11 pam_sss.8.xml:14 sssd_krb5_locator_plugin.8.xml:11
+#: sssd.8.xml:11 sss_obfuscate.8.xml:11 sss_useradd.8.xml:11
+#: sss_groupadd.8.xml:11 sss_userdel.8.xml:11 sss_groupdel.8.xml:11
+#: sss_groupshow.8.xml:11 sss_usermod.8.xml:11
+msgid "8"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sss_groupmod.8.xml:16
+msgid "modify a group"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: sss_groupmod.8.xml:21
+msgid ""
+"<command>sss_groupmod</command> <arg choice='opt'> <replaceable>options</"
+"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></"
+"arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:44
+#: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21
+#: sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_useradd.8.xml:30
+#: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30
+#: sss_groupdel.8.xml:30 sss_groupshow.8.xml:30 sss_usermod.8.xml:30
+msgid "DESCRIPTION"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_groupmod.8.xml:32
+msgid ""
+"<command>sss_groupmod</command> modifies the group to reflect the changes "
+"that are specified on the command line."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sss_groupmod.8.xml:39 pam_sss.8.xml:51 sssd.8.xml:42 sss_obfuscate.8.xml:58
+#: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
+#: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
+msgid "OPTIONS"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_groupmod.8.xml:43 sss_usermod.8.xml:77
+msgid ""
+"<option>-a</option>,<option>--append-group</option> <replaceable>GROUPS</"
+"replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_groupmod.8.xml:48
+msgid ""
+"Append this group to groups specified by the <replaceable>GROUPS</"
+"replaceable> parameter.  The <replaceable>GROUPS</replaceable> parameter is "
+"a comma separated list of group names."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_groupmod.8.xml:57 sss_usermod.8.xml:91
+msgid ""
+"<option>-r</option>,<option>--remove-group</option> <replaceable>GROUPS</"
+"replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_groupmod.8.xml:62
+msgid ""
+"Remove this group from groups specified by the <replaceable>GROUPS</"
+"replaceable> parameter."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1130 sssd-ldap.5.xml:1432
+#: pam_sss.8.xml:139 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
+#: sssd-ipa.5.xml:248 sssd.8.xml:166 sss_obfuscate.8.xml:103
+#: sss_useradd.8.xml:167 sssd-krb5.5.xml:427 sss_groupadd.8.xml:58
+#: sss_userdel.8.xml:93 sss_groupdel.8.xml:46 sss_groupshow.8.xml:58
+#: sss_usermod.8.xml:138
+msgid "SEE ALSO"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_groupmod.8.xml:74
+msgid ""
+"<citerefentry> <refentrytitle>sss_groupdel</refentrytitle><manvolnum>8</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupadd</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_useradd</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_usermod</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd.conf.5.xml:10 sssd.conf.5.xml:16
+msgid "sssd.conf"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refmeta><manvolnum>
+#: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11
+#: sssd-ipa.5.xml:11 sssd-krb5.5.xml:11
+msgid "5"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refmeta><refmiscinfo>
+#: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12
+#: sssd-ipa.5.xml:12 sssd-krb5.5.xml:12
+msgid "File Formats and Conventions"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sssd.conf.5.xml:17 sssd-ldap.5.xml:17 sssd_krb5_locator_plugin.8.xml:16
+#: sssd-ipa.5.xml:17 sssd-krb5.5.xml:17
+msgid "the configuration file for SSSD"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd.conf.5.xml:21
+msgid "FILE FORMAT"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd.conf.5.xml:29
+#, no-wrap
+msgid ""
+"                <replaceable>[section]</replaceable>\n"
+"                <replaceable>key</replaceable> = <replaceable>value</replaceable>\n"
+"                <replaceable>key2</replaceable> = <replaceable>value2,value3</replaceable>\n"
+"            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:24
+msgid ""
+"The file has an ini-style syntax and consists of sections and parameters. A "
+"section begins with the name of the section in square brackets and continues "
+"until the next section begins. An example of section with single and multi-"
+"valued parameters: <placeholder type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:36
+msgid ""
+"The data types used are string (no quotes needed), integer and bool (with "
+"values of <quote>TRUE/FALSE</quote>)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:41
+msgid ""
+"A line comment starts with a hash sign (<quote>#</quote>) or a semicolon "
+"(<quote>;</quote>)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:46
+msgid ""
+"All sections can have an optional <replaceable>description</replaceable> "
+"parameter. Its function is only as a label for the section."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:52
+msgid ""
+"<filename>sssd.conf</filename> must be a regular file, owned by root and "
+"only root may read from or write to the file."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd.conf.5.xml:58
+msgid "SPECIAL SECTIONS"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><title>
+#: sssd.conf.5.xml:61
+msgid "The [sssd] section"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
+#: sssd.conf.5.xml:70 sssd.conf.5.xml:976
+msgid "Section parameters"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:72
+msgid "config_file_version (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:75
+msgid ""
+"Indicates what is the syntax of the config file. SSSD 0.6.0 and later use "
+"version 2."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:81
+msgid "services"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:84
+msgid ""
+"Comma separated list of services that are started when sssd itself starts."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:88
+msgid "Supported services: nss, pam"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:93 sssd.conf.5.xml:254
+msgid "reconnection_retries (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:96 sssd.conf.5.xml:257
+msgid ""
+"Number of times services should attempt to reconnect in the event of a Data "
+"Provider crash or restart before they give up"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:101 sssd.conf.5.xml:262
+msgid "Default: 3"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:106
+msgid "domains"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:109
+msgid ""
+"A domain is a database containing user information. SSSD can use more "
+"domains at the same time, but at least one must be configured or SSSD won't "
+"start.  This parameter described the list of domains in the order you want "
+"them to be queried."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:119
+msgid "re_expression (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:122
+msgid ""
+"Regular expression that describes how to parse the string containing user "
+"name and domain into these components."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:126
+msgid ""
+"Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
+"which translates to \"the name is everything up to the <quote>@</quote> "
+"sign, the domain everything after that\""
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:131
+msgid ""
+"PLEASE NOTE: the support for non-unique named subpatterns is not available "
+"on all platforms (e.g. RHEL5 and SLES10). Only platforms with libpcre "
+"version 7 or higher can support non-unique named subpatterns."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:138
+msgid ""
+"PLEASE NOTE ALSO: older version of libpcre only support the Python syntax (?"
+"P&lt;name&gt;) to label subpatterns."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:145
+msgid "full_name_format (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:148
+msgid ""
+"A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
+"manvolnum> </citerefentry>-compatible format that describes how to translate "
+"a (name, domain) tuple into a fully qualified name."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:156
+msgid "Default: <quote>%1$s@%2$s</quote>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:161
+msgid "try_inotify (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:164
+msgid ""
+"SSSD monitors the state of resolv.conf to identify when it needs to update "
+"its internal DNS resolver. By default, we will attempt to use inotify for "
+"this, and will fall back to polling resolv.conf every five seconds if "
+"inotify cannot be used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:172
+msgid ""
+"There are some limited situations where it is preferred that we should skip "
+"even trying to use inotify. In these rare cases, this option should be set "
+"to 'false'"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:178
+msgid ""
+"Default: true on platforms where inotify is supported. False on other "
+"platforms."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:182
+msgid ""
+"Note: this option will have no effect on platforms where inotify is "
+"unavailable. On these platforms, polling will always be used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:189
+msgid "krb5_rcache_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:192
+msgid ""
+"Directory on the filesystem where SSSD should store Kerberos replay cache "
+"files."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:196
+msgid ""
+"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
+"SSSD to let libkrb5 decide the appropriate location for the replay cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:202
+msgid ""
+"Default: Distribution-specific and specified at build-time. "
+"(__LIBKRB5_DEFAULTS__ if not configured)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sssd.conf.5.xml:63
+msgid ""
+"Individual pieces of SSSD functionality are provided by special SSSD "
+"services that are started and stopped together with SSSD.  The services are "
+"managed by a special service frequently called <quote>monitor</quote>. The "
+"<quote>[sssd]</quote> section is used to configure the monitor as well as "
+"some other important options like the identity domains.  <placeholder type="
+"\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd.conf.5.xml:215
+msgid "SERVICES SECTIONS"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:217
+msgid ""
+"Settings that can be used to configure different services are described in "
+"this section. They should reside in the [<replaceable>$NAME</replaceable>] "
+"section, for example, for NSS service, the section would be <quote>[nss]</"
+"quote>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><title>
+#: sssd.conf.5.xml:224
+msgid "General service configuration options"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sssd.conf.5.xml:226
+msgid "These options can be used to configure any service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:230
+msgid "debug_level (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:233
+msgid ""
+"Sets the debug level for the service. The value can be in range from 0 (only "
+"critical messages) to 10 (very verbose)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:238 sssd.conf.5.xml:332
+msgid "Default: 0"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:243 sssd.8.xml:58
+msgid "debug_timestamps (bool)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:246 sssd.8.xml:61
+msgid "Add a timestamp to the debug messages"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:249 sssd.conf.5.xml:373 sssd-ldap.5.xml:1058
+#: sssd-ldap.5.xml:1163 sssd-ipa.5.xml:155
+msgid "Default: true"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:267
+msgid "command (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:270
+msgid ""
+"By default, the executable representing this service is called <command>sssd_"
+"${service_name}</command>.  This directive allows to change the executable "
+"name for the service. In the vast majority of configurations, the default "
+"values should suffice."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:278
+msgid "Default: <command>sssd_${service_name}</command>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><title>
+#: sssd.conf.5.xml:286
+msgid "NSS configuration options"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sssd.conf.5.xml:288
+msgid ""
+"These options can be used to configure the Name Service Switch (NSS) service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:293
+msgid "enum_cache_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:296
+msgid ""
+"How many seconds should nss_sss cache enumerations (requests for info about "
+"all users)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:300
+msgid "Default: 120"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:305
+msgid "entry_cache_nowait_percentage (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:308
+msgid ""
+"The entry cache can be set to automatically update entries in the background "
+"if they are requested beyond a percentage of the entry_cache_timeout value "
+"for the domain."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:314
+msgid ""
+"For example, if the domain's entry_cache_timeout is set to 30s and "
+"entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
+"after 15 seconds past the last cache update will be returned immediately, "
+"but the SSSD will go and update the cache on its own, so that future "
+"requests will not need to block waiting for a cache update."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:324
+msgid ""
+"Valid values for this option are 0-99 and represent a percentage of the "
+"entry_cache_timeout for each domain. For performance reasons, this "
+"percentage will never reduce the nowait timeout to less than 10 seconds.  (0 "
+"disables this feature)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:337
+msgid "entry_negative_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:340
+msgid ""
+"Specifies for how many seconds nss_sss should cache negative cache hits "
+"(that is, queries for invalid database entries, like nonexistent ones)  "
+"before asking the back end again."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:346 sssd-krb5.5.xml:223
+msgid "Default: 15"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:351
+msgid "filter_users, filter_groups (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:354
+msgid ""
+"Exclude certain users from being fetched from the sss NSS database. This is "
+"particularly useful for system accounts. This option can also be set per-"
+"domain or include fully-qualified names to filter only users from the "
+"particular domain."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:361
+msgid "Default: root"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:366
+msgid "filter_users_in_groups (bool)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:369
+msgid ""
+"If you want filtered user still be group members set this option to false."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:378
+msgid "override_homedir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:387 sssd-krb5.5.xml:166
+msgid "%u"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:388 sssd-krb5.5.xml:167
+msgid "login name"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:391 sssd-krb5.5.xml:170
+msgid "%U"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:392
+msgid "UID number"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:395 sssd-krb5.5.xml:188
+msgid "%d"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:396
+msgid "domain name"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:399
+msgid "%f"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:400
+msgid "fully qualified user name (user@domain)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:403 sssd-krb5.5.xml:200
+msgid "%%"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:404 sssd-krb5.5.xml:201
+msgid "a literal '%'"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:381
+msgid ""
+"Override the user's home directory. You can either provide an absolute value "
+"or a template. In the template, the following sequences are substituted: "
+"<placeholder type=\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:410
+msgid "This option can also be set per-domain."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:415
+msgid "allowed_shells (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:418
+msgid ""
+"Restrict user shell to one of the listed values. The order of evaluation is:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:421
+msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:425
+msgid ""
+"2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
+"quote>, use the value of the shell_fallback parameter."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:430
+msgid ""
+"3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
+"shells</quote>, a nologin shell is used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:435
+msgid "An empty string for shell is passed as-is to libc."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:438
+msgid ""
+"The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
+"that a restart of the SSSD is required in case a new shell is installed."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:442
+msgid "Default: Not set. The user shell is automatically used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:447
+msgid "vetoed_shells (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:450
+msgid "Replace any instance of these shells with the shell_fallback"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:455
+msgid "shell_fallback (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:458
+msgid ""
+"The default shell to use if an allowed shell is not installed on the machine."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:462
+msgid "Default: /bin/sh"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><title>
+#: sssd.conf.5.xml:469
+msgid "PAM configuration options"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sssd.conf.5.xml:471
+msgid ""
+"These options can be used to configure the Pluggable Authentication Module "
+"(PAM) service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:476
+msgid "offline_credentials_expiration (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:479
+msgid ""
+"If the authentication provider is offline, how long should we allow cached "
+"logins (in days since the last successful online login)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:484 sssd.conf.5.xml:497
+msgid "Default: 0 (No limit)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:490
+msgid "offline_failed_login_attempts (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:493
+msgid ""
+"If the authentication provider is offline, how many failed login attempts "
+"are allowed."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:503
+msgid "offline_failed_login_delay (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:506
+msgid ""
+"The time in minutes which has to pass after offline_failed_login_attempts "
+"has been reached before a new login attempt is possible."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:511
+msgid ""
+"If set to 0 the user cannot authenticate offline if "
+"offline_failed_login_attempts has been reached. Only a successful online "
+"authentication can enable enable offline authentication again."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:517 sssd.conf.5.xml:570 sssd.conf.5.xml:906
+msgid "Default: 5"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:523
+msgid "pam_verbosity (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:526
+msgid ""
+"Controls what kind of messages are shown to the user during authentication. "
+"The higher the number to more messages are displayed."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:531
+msgid "Currently sssd supports the following values:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:534
+msgid "<emphasis>0</emphasis>: do not show any message"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:537
+msgid "<emphasis>1</emphasis>: show only important messages"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:541
+msgid "<emphasis>2</emphasis>: show informational messages"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:544
+msgid "<emphasis>3</emphasis>: show all messages and debug information"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:548
+msgid "Default: 1"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:553
+msgid "pam_id_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:556
+msgid ""
+"For any PAM request while SSSD is online, the SSSD will attempt to "
+"immediately update the cached identity information for the user in order to "
+"ensure that authentication takes place with the latest information."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:562
+msgid ""
+"A complete PAM conversation may perform multiple PAM requests, such as "
+"account management and session opening. This option controls (on a per-"
+"client-application basis) how long (in seconds) we can cache the identity "
+"information to avoid excessive round-trips to the identity provider."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:576
+msgid "pam_pwd_expiration_warning (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:579
+msgid "Display a warning N days before the password expires."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:582
+msgid ""
+"Please note that the backend server has to provide information about the "
+"expiration time of the password.  If this information is missing, sssd "
+"cannot display a warning."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:588
+msgid "Default: 7"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd.conf.5.xml:597
+msgid "DOMAIN SECTIONS"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:604
+msgid "min_id,max_id (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:607
+msgid ""
+"UID and GID limits for the domain. If a domain contains an entry that is "
+"outside these limits, it is ignored."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:612
+msgid ""
+"For users, this affects the primary GID limit. The user will not be returned "
+"to NSS if either the UID or the primary GID is outside the range. For non-"
+"primary group memberships, those that are in range will be reported as "
+"expected."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:619
+msgid "Default: 1 for min_id, 0 (no limit) for max_id"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:625
+msgid "timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:628
+msgid ""
+"Timeout in seconds between heartbeats for this domain.  This is used to "
+"ensure that the backend process is alive and capable of answering requests."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:633
+msgid "Default: 10"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:639
+msgid "enumerate (bool)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:642
+msgid ""
+"Determines if a domain can be enumerated. This parameter can have one of the "
+"following values:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:646
+msgid "TRUE = Users and groups are enumerated"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:649
+msgid "FALSE = No enumerations for this domain"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:652 sssd.conf.5.xml:704 sssd.conf.5.xml:758
+msgid "Default: FALSE"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:655
+msgid ""
+"Note: Enabling enumeration has a moderate performance impact on SSSD while "
+"enumeration is running. It may take up to several minutes after SSSD startup "
+"to fully complete enumerations.  During this time, individual requests for "
+"information will go directly to LDAP, though it may be slow, due to the "
+"heavy enumeration processing."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:665
+msgid ""
+"While the first enumeration is running, requests for the complete user or "
+"group lists may return no results until it completes."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:670
+msgid ""
+"Further, enabling enumeration may increase the time necessary to detect "
+"network disconnection, as longer timeouts are required to ensure that "
+"enumeration lookups are completed successfully.  For more information, refer "
+"to the man pages for the specific id_provider in use."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:681
+msgid "entry_cache_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:684
+msgid ""
+"How many seconds should nss_sss consider entries valid before asking the "
+"backend again"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:688
+msgid "Default: 5400"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:693
+msgid "cache_credentials (bool)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:696
+msgid "Determines if user credentials are also cached in the local LDB cache"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:700
+msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:709
+msgid "account_cache_expiration (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:712
+msgid ""
+"Number of days entries are left in cache after last successful login before "
+"being removed during a cleanup of the cache. 0 means keep forever.  The "
+"value of this parameter must be greater than or equal to "
+"offline_credentials_expiration."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:719
+msgid "Default: 0 (unlimited)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:725
+msgid "id_provider (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:728
+msgid "The Data Provider identity backend to use for this domain."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:732
+msgid "Supported backends:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:735
+msgid "proxy: Support a legacy NSS provider"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:738
+msgid "local: SSSD internal local provider"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:741
+msgid "ldap: LDAP provider"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:747
+msgid "use_fully_qualified_names (bool)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:750
+msgid ""
+"If set to TRUE, all requests to this domain must use fully qualified names. "
+"For example, if used in LOCAL domain that contains a \"test\" user, "
+"<command>getent passwd test</command> wouldn't find the user while "
+"<command>getent passwd test@LOCAL</command> would."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:763
+msgid "auth_provider (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:766
+msgid ""
+"The authentication provider used for the domain.  Supported auth providers "
+"are:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:770
+msgid ""
+"<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
+"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+"citerefentry> for more information on configuring LDAP."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:777
+msgid ""
+"<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
+"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
+"citerefentry> for more information on configuring Kerberos."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:784
+msgid ""
+"<quote>proxy</quote> for relaying authentication to some other PAM target."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:787
+msgid "<quote>none</quote> disables authentication explicitly."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:790
+msgid ""
+"Default: <quote>id_provider</quote> is used if it is set and can handle "
+"authentication requests."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:796
+msgid "access_provider (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:799
+msgid ""
+"The access control provider used for the domain.  There are two built-in "
+"access providers (in addition to any included in installed backends)  "
+"Internal special providers are:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:805
+msgid "<quote>permit</quote> always allow access."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:808
+msgid "<quote>deny</quote> always deny access."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:811
+msgid ""
+"<quote>simple</quote> access control based on access or deny lists. See "
+"<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
+"manvolnum></citerefentry> for more information on configuring the simple "
+"access module."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:818
+msgid "Default: <quote>permit</quote>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:823
+msgid "chpass_provider (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:826
+msgid ""
+"The provider which should handle change password operations for the domain.  "
+"Supported change password providers are:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:831
+msgid ""
+"<quote>ipa</quote> to change a password stored in an IPA server.  See "
+"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> for more information on configuring IPA."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:839
+msgid ""
+"<quote>ldap</quote> to change a password stored in a LDAP server.  See "
+"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> for more information on configuring LDAP."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:847
+msgid ""
+"<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
+"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
+"citerefentry> for more information on configuring Kerberos."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:855
+msgid ""
+"<quote>proxy</quote> for relaying password changes to some other PAM target."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:859
+msgid "<quote>none</quote> disallows password changes explicitly."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:862
+msgid ""
+"Default: <quote>auth_provider</quote> is used if it is set and can handle "
+"change password requests."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:869
+msgid "lookup_family_order (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:872
+msgid ""
+"Provides the ability to select preferred address family to use when "
+"performing DNS lookups."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:876
+msgid "Supported values:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:879
+msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:882
+msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:885
+msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:888
+msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:891
+msgid "Default: ipv4_first"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:897
+msgid "dns_resolver_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:900
+msgid ""
+"Defines the amount of time (in seconds) to wait for a reply from the DNS "
+"resolver before assuming that it is unreachable. If this timeout is reached, "
+"the domain will continue to operate in offline mode."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:912
+msgid "dns_discovery_domain (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:915
+msgid ""
+"If service discovery is used in the back end, specifies the domain part of "
+"the service discovery DNS query."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:919
+msgid "Default: Use the domain part of machine's hostname"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:925
+msgid "override_gid (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:928
+msgid "Override the primary GID value with the one specified."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:599
+msgid ""
+"These configuration options can be present in a domain configuration "
+"section, that is, in a section called <quote>[domain/<replaceable>NAME</"
+"replaceable>]</quote> <placeholder type=\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:940
+msgid "proxy_pam_target (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:943
+msgid "The proxy target PAM proxies to."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:946
+msgid ""
+"Default: not set by default, you have to take an existing pam configuration "
+"or create a new one and add the service name here."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:954
+msgid "proxy_lib_name (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:957
+msgid ""
+"The name of the NSS library to use in proxy domains. The NSS functions "
+"searched for in the library are in the form of _nss_$(libName)_$(function), "
+"for example _nss_files_getpwent."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:936
+msgid ""
+"Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
+"\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><title>
+#: sssd.conf.5.xml:969
+msgid "The local domain section"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sssd.conf.5.xml:971
+msgid ""
+"This section contains settings for domain that stores users and groups in "
+"SSSD native database, that is, a domain that uses "
+"<replaceable>id_provider=local</replaceable>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:978
+msgid "default_shell (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:981
+msgid "The default shell for users created with SSSD userspace tools."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:985
+msgid "Default: <filename>/bin/bash</filename>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:990
+msgid "base_directory (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:993
+msgid ""
+"The tools append the login name to <replaceable>base_directory</replaceable> "
+"and use that as the home directory."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:998
+msgid "Default: <filename>/home</filename>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1003
+msgid "create_homedir (bool)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1006
+msgid ""
+"Indicate if a home directory should be created by default for new users.  "
+"Can be overridden on command line."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1010 sssd.conf.5.xml:1022
+msgid "Default: TRUE"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1015
+msgid "remove_homedir (bool)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1018
+msgid ""
+"Indicate if a home directory should be removed by default for deleted "
+"users.  Can be overridden on command line."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1027
+msgid "homedir_umask (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1030
+msgid ""
+"Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
+"<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
+"on a newly created home directory."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1038
+msgid "Default: 077"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1043
+msgid "skel_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1046
+msgid ""
+"The skeleton directory, which contains files and directories to be copied in "
+"the user's home directory, when the home directory is created by "
+"<citerefentry> <refentrytitle>sss_useradd</refentrytitle> <manvolnum>8</"
+"manvolnum> </citerefentry>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1056
+msgid "Default: <filename>/etc/skel</filename>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1061
+msgid "mail_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1064
+msgid ""
+"The mail spool directory. This is needed to manipulate the mailbox when its "
+"corresponding user account is modified or deleted.  If not specified, a "
+"default value is used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1071
+msgid "Default: <filename>/var/mail</filename>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1076
+msgid "userdel_cmd (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1079
+msgid ""
+"The command that is run after a user is removed.  The command us passed the "
+"username of the user being removed as the first and only parameter. The "
+"return code of the command is not taken into account."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1085
+msgid "Default: None, no command is run"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd.conf.5.xml:1095 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
+#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:408
+msgid "EXAMPLE"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd.conf.5.xml:1101
+#, no-wrap
+msgid ""
+"[sssd]\n"
+"domains = LDAP\n"
+"services = nss, pam\n"
+"config_file_version = 2\n"
+"\n"
+"[nss]\n"
+"filter_groups = root\n"
+"filter_users = root\n"
+"\n"
+"[pam]\n"
+"\n"
+"[domain/LDAP]\n"
+"id_provider = ldap\n"
+"ldap_uri = ldap://ldap.example.com\n"
+"ldap_search_base = dc=example,dc=com\n"
+"\n"
+"auth_provider = krb5\n"
+"krb5_server = kerberos.example.com\n"
+"krb5_realm = EXAMPLE.COM\n"
+"cache_credentials = true\n"
+"\n"
+"min_id = 10000\n"
+"max_id = 20000\n"
+"enumerate = False\n"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:1097
+msgid ""
+"The following example shows a typical SSSD config. It does not describe "
+"configuration of the domains themselves - refer to documentation on "
+"configuring domains for more details.  <placeholder type=\"programlisting\" "
+"id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:1132
+msgid ""
+"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
+"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_groupdel</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_groupmod</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_useradd</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_usermod</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>pam_sss</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd-ldap.5.xml:10 sssd-ldap.5.xml:16
+msgid "sssd-ldap"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ldap.5.xml:23
+msgid ""
+"This manual page describes the configuration of LDAP domains for "
+"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
+"</citerefentry>.  Refer to the <quote>FILE FORMAT</quote> section of the "
+"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> manual page for detailed syntax information."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ldap.5.xml:35
+msgid "You can configure SSSD to use more than one LDAP domain."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ldap.5.xml:38
+msgid ""
+"LDAP back end supports id, auth, access and chpass providers. If you want to "
+"authenticate against an LDAP server either TLS/SSL or LDAPS is required. "
+"<command>sssd</command> <emphasis>does not</emphasis> support authentication "
+"over an unencrypted channel.  If the LDAP server is used only as an identity "
+"provider, an encrypted channel is not needed. Please refer to "
+"<quote>ldap_access_filter</quote> config option for more information about "
+"using LDAP as an access provider."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:61
+#: sssd-krb5.5.xml:63
+msgid "CONFIGURATION OPTIONS"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:60
+msgid "ldap_uri (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:63
+msgid ""
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference. Refer to the <quote>FAILOVER</"
+"quote> section for more information on failover and server redundancy.  If "
+"not specified, service discovery is enabled. For more information, refer to "
+"the <quote>SERVICE DISCOVERY</quote> section."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:70
+msgid "The format of the URI must match the format defined in RFC 2732:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:73
+msgid "ldap[s]://&lt;host&gt;[:port]"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:76
+msgid ""
+"For explicit IPv6 addresses, &lt;host&gt; must be enclosed in brackets []"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:79
+msgid "example: ldap://[fc00::126:25]:389"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:85
+msgid "ldap_chpass_uri (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:88
+msgid ""
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference to change the password of a user. "
+"Refer to the <quote>FAILOVER</quote> section for more information on "
+"failover and server redundancy."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:95
+msgid "To enable service discovery ldap_chpass_dns_service_name must be set."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:99
+msgid "Default: empty, i.e. ldap_uri is used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:105
+msgid "ldap_search_base (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:108
+msgid "The default base DN to use for performing LDAP user operations."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:112
+msgid ""
+"Default: If not set the value of the defaultNamingContext or namingContexts "
+"attribute from the RootDSE of the LDAP server is used. If "
+"defaultNamingContext does not exists or has an empty value namingContexts is "
+"used.  The namingContexts attribute must have a single value with the DN of "
+"the search base of the LDAP server to make this work. Multiple values are "
+"are not supported."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:126
+msgid "ldap_schema (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:129
+msgid ""
+"Specifies the Schema Type in use on the target LDAP server.  Depending on "
+"the selected schema, the default attribute names retrieved from the servers "
+"may vary.  The way that some attributes are handled may also differ.  Three "
+"schema types are currently supported: rfc2307 rfc2307bis IPA The main "
+"difference between these schema types is how group memberships are recorded "
+"in the server.  With rfc2307, group members are listed by name in the "
+"<emphasis>memberUid</emphasis> attribute.  With rfc2307bis and IPA, group "
+"members are listed by DN and stored in the <emphasis>member</emphasis> "
+"attribute."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:148
+msgid "Default: rfc2307"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:154
+msgid "ldap_default_bind_dn (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:157
+msgid "The default bind DN to use for performing LDAP operations."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:164
+msgid "ldap_default_authtok_type (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:167
+msgid "The type of the authentication token of the default bind DN."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:171
+msgid "The two mechanisms currently supported are:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:174
+msgid "password"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:177
+msgid "obfuscated_password"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:180
+msgid "Default: password"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:186
+msgid "ldap_default_authtok (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:189
+msgid ""
+"The authentication token of the default bind DN.  Only clear text passwords "
+"are currently supported."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:196
+msgid "ldap_user_object_class (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:199
+msgid "The object class of a user entry in LDAP."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:202
+msgid "Default: posixAccount"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:208
+msgid "ldap_user_name (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:211
+msgid "The LDAP attribute that corresponds to the user's login name."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:215
+msgid "Default: uid"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:221
+msgid "ldap_user_uid_number (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:224
+msgid "The LDAP attribute that corresponds to the user's id."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:228
+msgid "Default: uidNumber"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:234
+msgid "ldap_user_gid_number (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:237
+msgid "The LDAP attribute that corresponds to the user's primary group id."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:241 sssd-ldap.5.xml:637
+msgid "Default: gidNumber"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:247
+msgid "ldap_user_gecos (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:250
+msgid "The LDAP attribute that corresponds to the user's gecos field."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:254
+msgid "Default: gecos"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:260
+msgid "ldap_user_home_directory (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:263
+msgid "The LDAP attribute that contains the name of the user's home directory."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:267
+msgid "Default: homeDirectory"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:273
+msgid "ldap_user_shell (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:276
+msgid "The LDAP attribute that contains the path to the user's default shell."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:280
+msgid "Default: loginShell"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:286
+msgid "ldap_user_uuid (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:289
+msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:293 sssd-ldap.5.xml:663 sssd-ldap.5.xml:756
+msgid "Default: nsUniqueId"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:299
+msgid "ldap_user_modify_timestamp (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:302 sssd-ldap.5.xml:672 sssd-ldap.5.xml:765
+msgid ""
+"The LDAP attribute that contains timestamp of the last modification of the "
+"parent object."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:306 sssd-ldap.5.xml:676 sssd-ldap.5.xml:769
+msgid "Default: modifyTimestamp"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:312
+msgid "ldap_user_shadow_last_change (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:315
+msgid ""
+"When using ldap_pwd_policy=shadow, this parameter contains the name of an "
+"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of "
+"the last password change)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:325
+msgid "Default: shadowLastChange"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:331
+msgid "ldap_user_shadow_min (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:334
+msgid ""
+"When using ldap_pwd_policy=shadow, this parameter contains the name of an "
+"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum "
+"password age)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:343
+msgid "Default: shadowMin"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:349
+msgid "ldap_user_shadow_max (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:352
+msgid ""
+"When using ldap_pwd_policy=shadow, this parameter contains the name of an "
+"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum "
+"password age)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:361
+msgid "Default: shadowMax"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:367
+msgid "ldap_user_shadow_warning (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:370
+msgid ""
+"When using ldap_pwd_policy=shadow, this parameter contains the name of an "
+"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart "
+"(password warning period)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:380
+msgid "Default: shadowWarning"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:386
+msgid "ldap_user_shadow_inactive (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:389
+msgid ""
+"When using ldap_pwd_policy=shadow, this parameter contains the name of an "
+"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart "
+"(password inactivity period)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:399
+msgid "Default: shadowInactive"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:405
+msgid "ldap_user_shadow_expire (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:408
+msgid ""
+"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this "
+"parameter contains the name of an LDAP attribute corresponding to its "
+"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> counterpart (account expiration date)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:418
+msgid "Default: shadowExpire"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:424
+msgid "ldap_user_krb_last_pwd_change (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:427
+msgid ""
+"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of "
+"an LDAP attribute storing the date and time of last password change in "
+"kerberos."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:433
+msgid "Default: krbLastPwdChange"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:439
+msgid "ldap_user_krb_password_expiration (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:442
+msgid ""
+"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of "
+"an LDAP attribute storing the date and time when current password expires."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:448
+msgid "Default: krbPasswordExpiration"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:454
+msgid "ldap_user_ad_account_expires (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:457
+msgid ""
+"When using ldap_account_expire_policy=ad, this parameter contains the name "
+"of an LDAP attribute storing the expiration time of the account."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:462
+msgid "Default: accountExpires"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:468
+msgid "ldap_user_ad_user_account_control (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:471
+msgid ""
+"When using ldap_account_expire_policy=ad, this parameter contains the name "
+"of an LDAP attribute storing the user account control bit field."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:476
+msgid "Default: userAccountControl"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:482
+msgid "ldap_ns_account_lock (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:485
+msgid ""
+"When using ldap_account_expire_policy=rhds or equivalent, this parameter "
+"determines if access is allowed or not."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:490
+msgid "Default: nsAccountLock"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:496
+msgid "ldap_user_principal (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:499
+msgid ""
+"The LDAP attribute that contains the user's Kerberos User Principal Name "
+"(UPN)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:503
+msgid "Default: krbPrincipalName"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:509
+msgid "ldap_force_upper_case_realm (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:512
+msgid ""
+"Some directory servers, for example Active Directory, might deliver the "
+"realm part of the UPN in lower case, which might cause the authentication to "
+"fail. Set this option to a non-zero value if you want to use an upper-case "
+"realm."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:519 sssd-ldap.5.xml:990 sssd-ipa.5.xml:115 sssd.8.xml:64
+#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:269
+msgid "Default: false"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:525
+msgid "ldap_enumeration_refresh_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:528
+msgid ""
+"The LDAP attribute that contains how many seconds SSSD has to wait before "
+"refreshing its cache of enumerated records."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:533
+msgid "Default: 300"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:539
+msgid "ldap_purge_cache_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:542
+msgid ""
+"Determine how often to check the cache for inactive entries (such as groups "
+"with no members and users who have never logged in) and remove them to save "
+"space."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:548
+msgid "Setting this option to zero will disable the cache cleanup operation."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:552
+msgid "Default: 10800 (12 hours)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:558
+msgid "ldap_user_fullname (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:561
+msgid "The LDAP attribute that corresponds to the user's full name."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:565 sssd-ldap.5.xml:624 sssd-ldap.5.xml:717
+msgid "Default: cn"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:571
+msgid "ldap_user_member_of (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:574
+msgid "The LDAP attribute that lists the user's group memberships."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:578
+msgid "Default: memberOf"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:584
+msgid "ldap_user_authorized_service (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:587
+msgid ""
+"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will "
+"use the presence of the authorizedService attribute in the user's LDAP entry "
+"to determine access privilege."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:594
+msgid ""
+"An explicit deny (!svc) is resolved first. Second, SSSD searches for "
+"explicit allow (svc) and finally for allow_all (*)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:599
+msgid "Default: authorizedService"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:605
+msgid "ldap_group_object_class (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:608
+msgid "The object class of a group entry in LDAP."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:611
+msgid "Default: posixGroup"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:617
+msgid "ldap_group_name (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:620
+msgid "The LDAP attribute that corresponds to the group name."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:630
+msgid "ldap_group_gid_number (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:633
+msgid "The LDAP attribute that corresponds to the group's id."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:643
+msgid "ldap_group_member (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:646
+msgid "The LDAP attribute that contains the names of the group's members."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:650
+msgid "Default: memberuid (rfc2307) / member (rfc2307bis)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:656
+msgid "ldap_group_uuid (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:659
+msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:669
+msgid "ldap_group_modify_timestamp (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:682
+msgid "ldap_group_nesting_level (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:685
+msgid ""
+"If ldap_schema is set to a schema format that supports nested groups (e.g. "
+"RFC2307bis), then this option controls how many levels of nesting SSSD will "
+"follow. This option has no effect on the RFC2307 schema."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:692
+msgid "Default: 2"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:698
+msgid "ldap_netgroup_object_class (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:701
+msgid "The object class of a netgroup entry in LDAP."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:704
+msgid "Default: nisNetgroup"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:710
+msgid "ldap_netgroup_name (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:713
+msgid "The LDAP attribute that corresponds to the netgroup name."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:723
+msgid "ldap_netgroup_member (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:726
+msgid "The LDAP attribute that contains the names of the netgroup's members."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:730
+msgid "Default: memberNisNetgroup"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:736
+msgid "ldap_netgroup_triple (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:739
+msgid ""
+"The LDAP attribute that contains the (host, user, domain) netgroup triples."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:743
+msgid "Default: nisNetgroupTriple"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:749
+msgid "ldap_netgroup_uuid (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:752
+msgid ""
+"The LDAP attribute that contains the UUID/GUID of an LDAP netgroup object."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:762
+msgid "ldap_netgroup_modify_timestamp (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:775
+msgid "ldap_search_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:778
+msgid ""
+"Specifies the timeout (in seconds) that ldap searches are allowed to run "
+"before they are cancelled and cached results are returned (and offline mode "
+"is entered)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:784
+msgid ""
+"Note: this option is subject to change in future versions of the SSSD. It "
+"will likely be replaced at some point by a series of timeouts for specific "
+"lookup types."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:790 sssd-ldap.5.xml:832 sssd-ldap.5.xml:847
+msgid "Default: 6"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:796
+msgid "ldap_enumeration_search_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:799
+msgid ""
+"Specifies the timeout (in seconds) that ldap searches for user and group "
+"enumerations are allowed to run before they are cancelled and cached results "
+"are returned (and offline mode is entered)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:806
+msgid "Default: 60"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:812
+msgid "ldap_network_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:815
+msgid ""
+"Specifies the timeout (in seconds) after which the <citerefentry> "
+"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/"
+"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</"
+"manvolnum> </citerefentry> following a <citerefentry> "
+"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </"
+"citerefentry> returns in case of no activity."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:838
+msgid "ldap_opt_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:841
+msgid ""
+"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs "
+"will abort if no response is received. Also controls the timeout when "
+"communicating with the KDC in case of SASL bind."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:853
+msgid "ldap_page_size (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:856
+msgid ""
+"Specify the number of records to retrieve from LDAP in a single request. "
+"Some LDAP servers enforce a maximum limit per-request."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:861
+msgid "Default: 1000"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:867
+msgid "ldap_tls_reqcert (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:870
+msgid ""
+"Specifies what checks to perform on server certificates in a TLS session, if "
+"any. It can be specified as one of the following values:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:876
+msgid ""
+"<emphasis>never</emphasis> = The client will not request or check any server "
+"certificate."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:880
+msgid ""
+"<emphasis>allow</emphasis> = The server certificate is requested. If no "
+"certificate is provided, the session proceeds normally. If a bad certificate "
+"is provided, it will be ignored and the session proceeds normally."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:887
+msgid ""
+"<emphasis>try</emphasis> = The server certificate is requested. If no "
+"certificate is provided, the session proceeds normally. If a bad certificate "
+"is provided, the session is immediately terminated."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:893
+msgid ""
+"<emphasis>demand</emphasis> = The server certificate is requested. If no "
+"certificate is provided, or a bad certificate is provided, the session is "
+"immediately terminated."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:899
+msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:903
+msgid "Default: hard"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:909
+msgid "ldap_tls_cacert (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:912
+msgid ""
+"Specifies the file that contains certificates for all of the Certificate "
+"Authorities that <command>sssd</command> will recognize."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:917 sssd-ldap.5.xml:935 sssd-ldap.5.xml:976
+msgid ""
+"Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap."
+"conf</filename>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:924
+msgid "ldap_tls_cacertdir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:927
+msgid ""
+"Specifies the path of a directory that contains Certificate Authority "
+"certificates in separate individual files. Typically the file names need to "
+"be the hash of the certificate followed by '.0'.  If available, "
+"<command>cacertdir_rehash</command> can be used to create the correct names."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:942
+msgid "ldap_tls_cert (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:945
+msgid "Specifies the file that contains the certificate for the client's key."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:359
+msgid "Default: not set"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:955
+msgid "ldap_tls_key (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:958
+msgid "Specifies the file that contains the client's key."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:967
+msgid "ldap_tls_cipher_suite (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:970
+msgid ""
+"Specifies acceptable cipher suites.  Typically this is a colon sperated "
+"list.  See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
+"<manvolnum>5</manvolnum></citerefentry> for format."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:983
+msgid "ldap_id_use_start_tls (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:986
+msgid ""
+"Specifies that the id_provider connection must also use <systemitem class="
+"\"protocol\">tls</systemitem> to protect the channel."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:996
+msgid "ldap_sasl_mech (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:999
+msgid ""
+"Specify the SASL mechanism to use.  Currently only GSSAPI is tested and "
+"supported."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1003 sssd-ldap.5.xml:1145
+msgid "Default: none"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1009
+msgid "ldap_sasl_authid (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1012
+msgid ""
+"Specify the SASL authorization id to use.  When GSSAPI is used, this "
+"represents the Kerberos principal used for authentication to the directory."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1017
+msgid "Default: host/machine.fqdn@REALM"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1023
+msgid "ldap_sasl_canonicalize (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1026
+msgid ""
+"If set to true, the LDAP library would perform a reverse lookup to "
+"canonicalize the host name during a SASL bind."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1031
+msgid "Default: false;"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1037
+msgid "ldap_krb5_keytab (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1040
+msgid "Specify the keytab to use when using SASL/GSSAPI."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1043
+msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1049
+msgid "ldap_krb5_init_creds (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1052
+msgid ""
+"Specifies that the id_provider should init Kerberos credentials (TGT).  This "
+"action is performed only if SASL is used and the mechanism selected is "
+"GSSAPI."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1064
+msgid "ldap_krb5_ticket_lifetime (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1067
+msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1071
+msgid "Default: 86400 (24 hours)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1077 sssd-krb5.5.xml:74
+msgid "krb5_server (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1080 sssd-krb5.5.xml:77
+msgid ""
+"Specifies the comma-separated list of IP addresses or hostnames of the "
+"Kerberos servers to which SSSD should connect in the order of preference. "
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
+"colon) may be appended to the addresses or hostnames.  If empty, service "
+"discovery is enabled - for more information, refer to the <quote>SERVICE "
+"DISCOVERY</quote> section."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1092 sssd-krb5.5.xml:89
+msgid ""
+"When using service discovery for KDC or kpasswd servers, SSSD first searches "
+"for DNS entries that specify _udp as the protocol and falls back to _tcp if "
+"none are found."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1097 sssd-krb5.5.xml:94
+msgid ""
+"This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. "
+"While the legacy name is recognized for the time being, users are advised to "
+"migrate their config files to use <quote>krb5_server</quote> instead."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1106 sssd-ipa.5.xml:165 sssd-krb5.5.xml:103
+msgid "krb5_realm (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1109
+msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1112
+msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1118
+msgid "ldap_pwd_policy (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1121
+msgid ""
+"Select the policy to evaluate the password expiration on the client side. "
+"The following values are allowed:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1126
+msgid ""
+"<emphasis>none</emphasis> - No evaluation on the client side. This option "
+"cannot disable server-side password policies."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1131
+msgid ""
+"<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</"
+"refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to "
+"evaluate if the password has expired.  Note that the current version of sssd "
+"cannot update this attribute during a password change."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1139
+msgid ""
+"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
+"to determine if the password has expired. Use chpass_provider=krb5 to update "
+"these attributes when the password is changed."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1151
+msgid "ldap_referrals (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1154
+msgid "Specifies whether automatic referral chasing should be enabled."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1158
+msgid ""
+"Please note that sssd only supports referral chasing when it is compiled "
+"with OpenLDAP version 2.4.13 or higher."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1169
+msgid "ldap_dns_service_name (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1172
+msgid "Specifies the service name to use when service discovery is enabled."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1176
+msgid "Default: ldap"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1182
+msgid "ldap_chpass_dns_service_name (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1185
+msgid ""
+"Specifies the service name to use to find an LDAP server which allows "
+"password changes when service discovery is enabled."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1190
+msgid "Default: not set, i.e. service discovery is disabled"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1196
+msgid "ldap_access_filter (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1199
+msgid ""
+"If using access_provider = ldap, this option is mandatory. It specifies an "
+"LDAP search filter criteria that must be met for the user to be granted "
+"access on this host. If access_provider = ldap and this option is not set, "
+"it will result in all users being denied access. Use access_provider = allow "
+"to change this default behavior."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1209
+msgid "Example:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
+#: sssd-ldap.5.xml:1212
+#, no-wrap
+msgid ""
+"access_provider = ldap\n"
+"ldap_access_filter = memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1216
+msgid ""
+"This example means that access to this host is restricted to members of the "
+"\"allowedusers\" group in ldap."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1221
+msgid ""
+"Offline caching for this feature is limited to determining whether the "
+"user's last online login was granted access permission. If they were granted "
+"access during their last login, they will continue to be granted access "
+"while offline and vice-versa."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1229 sssd-ldap.5.xml:1270
+msgid "Default: Empty"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1235
+msgid "ldap_account_expire_policy (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1238
+msgid ""
+"With this option a client side evaluation of access control attributes can "
+"be enabled."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1242
+msgid ""
+"Please note that it is always recommended to use server side access control, "
+"i.e. the LDAP server should deny the bind request with a suitable error code "
+"even if the password is correct."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1249
+msgid "The following values are allowed:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1252
+msgid ""
+"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
+"determine if the account is expired."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1257
+msgid ""
+"<emphasis>ad</emphasis>: use the value of the 32bit field "
+"ldap_user_ad_user_account_control and allow access if the second bit is not "
+"set. If the attribute is missing access is granted. Also the expiration time "
+"of the account is checked."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1264
+msgid ""
+"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</"
+"emphasis>: use the value of ldap_ns_account_lock to check if access is "
+"allowed or not."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1276
+msgid "ldap_access_order (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1279
+msgid "Comma separated list of access control options.  Allowed values are:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1283
+msgid "<emphasis>filter</emphasis>: use ldap_access_filter"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1286
+msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1290
+msgid ""
+"<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
+"to determine access"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1295
+msgid "Default: filter"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1298
+msgid ""
+"Please note that it is a configuration error if a value is used more than "
+"once."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1305
+msgid "ldap_deref (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1308
+msgid ""
+"Specifies how alias dereferencing is done when performing a search. The "
+"following options are allowed:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1313
+msgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1317
+msgid ""
+"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
+"the base object, but not in locating the base object of the search."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1322
+msgid ""
+"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
+"the base object of the search."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1327
+msgid ""
+"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
+"in locating the base object of the search."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1332
+msgid ""
+"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
+"client libraries)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ldap.5.xml:51
+msgid ""
+"All of the common configuration options that apply to SSSD domains also "
+"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section "
+"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> manual page for full details.  <placeholder type="
+"\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-ldap.5.xml:1344
+msgid "ADVANCED OPTIONS"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1351
+msgid "ldap_netgroup_search_base (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1354
+msgid ""
+"An optional base DN to restrict netgroup searches to a specific subtree."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1358 sssd-ldap.5.xml:1372 sssd-ldap.5.xml:1386
+msgid "Default: the value of <emphasis>ldap_search_base</emphasis>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1365
+msgid "ldap_user_search_base (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1368
+msgid "An optional base DN to restrict user searches to a specific subtree."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1379
+msgid "ldap_group_search_base (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1382
+msgid "An optional base DN to restrict group searches to a specific subtree."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ldap.5.xml:1346
+msgid ""
+"These options are supported by LDAP domains, but they should be used with "
+"caution. Please include them in your configuration only if you know what you "
+"are doing.  <placeholder type=\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ldap.5.xml:1402
+msgid ""
+"The following example assumes that SSSD is correctly configured and LDAP is "
+"set to one of the domains in the <replaceable>[domains]</replaceable> "
+"section."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-ldap.5.xml:1408
+#, no-wrap
+msgid ""
+"    [domain/LDAP]\n"
+"    id_provider = ldap\n"
+"    auth_provider = ldap\n"
+"    ldap_uri = ldap://ldap.mydomain.org\n"
+"    ldap_search_base = dc=mydomain,dc=org\n"
+"    ldap_tls_reqcert = demand\n"
+"    cache_credentials = true\n"
+"    enumerate = true\n"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ldap.5.xml:1407 sssd-simple.5.xml:134 sssd-ipa.5.xml:238
+#: sssd-krb5.5.xml:417
+msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-ldap.5.xml:1421 sssd_krb5_locator_plugin.8.xml:61
+msgid "NOTES"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ldap.5.xml:1423
+msgid ""
+"The descriptions of some of the configuration options in this manual page "
+"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 "
+"distribution."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ldap.5.xml:1434
+msgid ""
+"<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
+"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </citerefentry>"
+msgstr ""
+
+#. type: Content of: <refentryinfo>
+#: pam_sss.8.xml:8 include/upstream.xml:2
+msgid ""
+"<productname>SSSD</productname> <orgname>The SSSD upstream - http://"
+"fedorahosted.org/sssd</orgname>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: pam_sss.8.xml:13 pam_sss.8.xml:18
+msgid "pam_sss"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: pam_sss.8.xml:19
+msgid "PAM module for SSSD"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: pam_sss.8.xml:24
+msgid ""
+"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
+"arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: pam_sss.8.xml:45
+msgid ""
+"<command>pam_sss.so</command> is the PAM interface to the System Security "
+"Services daemon (SSSD). Errors and results are logged through <command>syslog"
+"(3)</command> with the LOG_AUTHPRIV facility."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:55
+msgid "<option>quiet</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:58
+msgid "Suppress log messages for unknown users."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:63
+msgid "<option>forward_pass</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:66
+msgid ""
+"If <option>forward_pass</option> is set the entered password is put on the "
+"stack for other PAM modules to use."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:73
+msgid "<option>use_first_pass</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:76
+msgid ""
+"The argument use_first_pass forces the module to use a previous stacked "
+"modules password and will never prompt the user - if no password is "
+"available or the password is not appropriate, the user will be denied access."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:84
+msgid "<option>use_authtok</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:87
+msgid ""
+"When password changing enforce the module to set the new password to the one "
+"provided by a previously stacked password module."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:94
+msgid "<option>retry=N</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:97
+msgid ""
+"If specified the user is asked another N times for a password if "
+"authentication fails. Default is 0."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:99
+msgid ""
+"Please note that this option might not work as expected if the application "
+"calling PAM handles the user dialog on its own. A typical example is "
+"<command>sshd</command> with <option>PasswordAuthentication</option>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: pam_sss.8.xml:110
+msgid "MODULE TYPES PROVIDED"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: pam_sss.8.xml:111
+msgid ""
+"All module types (<option>account</option>, <option>auth</option>, "
+"<option>password</option> and <option>session</option>) are provided."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: pam_sss.8.xml:117
+msgid "FILES"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: pam_sss.8.xml:118
+msgid ""
+"If a password reset by root fails, because the corresponding SSSD provider "
+"does not support password resets, an individual message can be displayed. "
+"This message can e.g. contain instructions about how to reset a password."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: pam_sss.8.xml:123
+msgid ""
+"The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
+"filename> where LOC stands for a locale string returned by <citerefentry> "
+"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </"
+"citerefentry>. If there is no matching file the content of "
+"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be "
+"the owner of the files and only root may have read and write permissions "
+"while all other users must have only read permisssions."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: pam_sss.8.xml:133
+msgid ""
+"These files are searched in the directory <filename>/etc/sssd/customize/"
+"DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
+"displayed."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: pam_sss.8.xml:141
+msgid ""
+"<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>8</"
+"manvolnum> </citerefentry>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15
+msgid "sssd_krb5_locator_plugin"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd_krb5_locator_plugin.8.xml:22
+msgid ""
+"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is "
+"used by the Kerberos provider of <citerefentry> <refentrytitle>sssd</"
+"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> to tell the Kerberos "
+"libraries what Realm and which KDC to use.  Typically this is done in "
+"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> which is always read by the Kerberos libraries. "
+"To simplyfy the configuration the Realm and the KDC can be defined in "
+"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> as described in <citerefentry> "
+"<refentrytitle>sssd-krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </"
+"citerefentry>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd_krb5_locator_plugin.8.xml:48
+msgid ""
+"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
+"</citerefentry> puts the Realm and the name or IP address of the KDC into "
+"the environment variables SSSD_KRB5_REALM and SSSD_KRB5_KDC respectively.  "
+"When <command>sssd_krb5_locator_plugin</command> is called by the kerberos "
+"libraries it reads and evaluates these variable and returns them to the "
+"libraries."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd_krb5_locator_plugin.8.xml:63
+msgid ""
+"Not all Kerberos implementations support the use of plugins. If "
+"<command>sssd_krb5_locator_plugin</command> is not available on your system "
+"you have to edit /etc/krb5.conf to reflect your Kerberos setup."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd_krb5_locator_plugin.8.xml:69
+msgid ""
+"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value "
+"debug messages will be sent to stderr."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd_krb5_locator_plugin.8.xml:77
+msgid ""
+"<citerefentry> <refentrytitle>sssd-krb5</refentrytitle><manvolnum>5</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd.conf</"
+"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </citerefentry>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd-simple.5.xml:10 sssd-simple.5.xml:16
+msgid "sssd-simple"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sssd-simple.5.xml:17
+msgid "the configuration file for SSSD's 'simple' access-control provider"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-simple.5.xml:24
+msgid ""
+"This manual page describes the configuration of the simple access-control "
+"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> "
+"<manvolnum>8</manvolnum> </citerefentry>.  For a detailed syntax reference, "
+"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> "
+"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
+"citerefentry> manual page."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-simple.5.xml:38
+msgid ""
+"The simple access provider grants or denies access based on an access or "
+"deny list of user or group names. The following rules apply:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
+#: sssd-simple.5.xml:43
+msgid "If all lists are empty, access is granted"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
+#: sssd-simple.5.xml:47
+msgid ""
+"If any list is provided, the order of evaluation is allow,deny. This means "
+"that any matching deny rule will supersede any matched allow rule."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
+#: sssd-simple.5.xml:54
+msgid ""
+"If either or both \"allow\" lists are provided, all users are denied unless "
+"they appear in the list."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
+#: sssd-simple.5.xml:60
+msgid ""
+"If only \"deny\" lists are provided, all users are granted access unless "
+"they appear in the list."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-simple.5.xml:78
+msgid "simple_allow_users (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-simple.5.xml:81
+msgid "Comma separated list of users who are allowed to log in."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-simple.5.xml:88
+msgid "simple_deny_users (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-simple.5.xml:91
+msgid "Comma separated list of users who are explicitly denied access."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-simple.5.xml:97
+msgid "simple_allow_groups (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-simple.5.xml:100
+msgid ""
+"Comma separated list of groups that are allowed to log in. This applies only "
+"to groups within this SSSD domain. Local groups are not evaluated."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-simple.5.xml:108
+msgid "simple_deny_groups (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-simple.5.xml:111
+msgid ""
+"Comma separated list of groups that are explicitly denied access. This "
+"applies only to groups within this SSSD domain. Local groups are not "
+"evaluated."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-simple.5.xml:70 sssd-ipa.5.xml:62
+msgid ""
+"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> "
+"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
+"citerefentry> manual page for details on the configuration of an SSSD "
+"domain.  <placeholder type=\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-simple.5.xml:120
+msgid ""
+"Please note that it is an configuration error if both, simple_allow_users "
+"and simple_deny_users, are defined."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-simple.5.xml:128
+msgid ""
+"The following example assumes that SSSD is correctly configured and example."
+"com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
+"This examples shows only the simple access provider-specific options."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-simple.5.xml:135
+#, no-wrap
+msgid ""
+"    [domain/example.com]\n"
+"    access_provider = simple\n"
+"    simple_allow_users = user1, user2\n"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-simple.5.xml:145
+msgid ""
+"<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16
+msgid "sssd-ipa"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ipa.5.xml:23
+msgid ""
+"This manual page describes the configuration of the IPA provider for "
+"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
+"</citerefentry>.  For a detailed syntax reference, refer to the <quote>FILE "
+"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ipa.5.xml:36
+msgid ""
+"The IPA provider is a back end used to connect to an IPA server.  (Refer to "
+"the freeipa.org web site for information about IPA servers.)  This provider "
+"requires that the machine be joined to the IPA domain; configuration is "
+"almost entirely self-discovered and obtained directly from the server."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ipa.5.xml:43
+msgid ""
+"The IPA provider accepts the same options used by the <citerefentry> "
+"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+"citerefentry> identity provider and the <citerefentry> <refentrytitle>sssd-"
+"krb5</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> authentication "
+"provider.  However, it is neither necessary nor recommended to set these "
+"options.  IPA provider can also be used as an access and chpass provider. As "
+"an access provider it uses HBAC (host-based access control) rules. Please "
+"refer to freeipa.org for more information about HBAC. No configuration of "
+"access provider is required on the client side."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:69
+msgid "ipa_domain (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:72
+msgid ""
+"Specifies the name of the IPA domain.  This is optional. If not provided, "
+"the configuration domain name is used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:80
+msgid "ipa_server (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:83
+msgid ""
+"The comma-separated list of IP addresses or hostnames of the IPA servers to "
+"which SSSD should connect in the order of preference. For more information "
+"on failover and server redundancy, see the <quote>FAILOVER</quote> section.  "
+"This is optional if autodiscovery is enabled.  For more information on "
+"service discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:96
+msgid "ipa_hostname (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:99
+msgid ""
+"Optional. May be set on machines where the hostname(5) does not reflect the "
+"fully qualified name used in the IPA domain to identify this host."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:107
+msgid "ipa_dyndns_update (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:110
+msgid ""
+"Optional. This option tells SSSD to automatically update the DNS server "
+"built into FreeIPA v2 with the IP address of this client."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:121
+msgid "ipa_dyndns_iface (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:124
+msgid ""
+"Optional. Applicable only when ipa_dyndns_update is true. Choose the "
+"interface whose IP address should be used for dynamic DNS updates."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:129
+msgid "Default: Use the IP address of the IPA LDAP connection"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:135
+msgid "ipa_hbac_search_base (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:138
+msgid "Optional. Use the given string as search base for HBAC related objects."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:142
+msgid "Default: Use base DN"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:148 sssd-krb5.5.xml:229
+msgid "krb5_validate (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:151 sssd-krb5.5.xml:232
+msgid ""
+"Verify with the help of krb5_keytab that the TGT obtained has not been "
+"spoofed."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:158
+msgid ""
+"Note that this default differs from the traditional Kerberos provider back "
+"end."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:168
+msgid ""
+"The name of the Kerberos realm. This is optional and defaults to the value "
+"of <quote>ipa_domain</quote>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:172
+msgid ""
+"The name of the Kerberos realm has a special meaning in IPA - it is "
+"converted into the base DN to use for performing LDAP operations."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:179
+msgid "ipa_hbac_refresh (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:182
+msgid ""
+"The amount of time between lookups of the HBAC rules against the IPA server. "
+"This will reduce the latency and load on the IPA server if there are many "
+"access-control requests made in a short period."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:189
+msgid "Default: 5 (seconds)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:194
+msgid "ipa_hbac_treat_deny_as (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:197
+msgid ""
+"This option specifies how to treat the deprecated DENY-type HBAC rules. As "
+"of FreeIPA v2.1, DENY rules are no longer supported on the server. All users "
+"of FreeIPA will need to migrate their rules to use only the ALLOW rules. The "
+"client will support two modes of operation during this transition period:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:206
+msgid ""
+"<emphasis>DENY_ALL</emphasis>: If any HBAC DENY rules are detected, all "
+"users will be denied access."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:211
+msgid ""
+"<emphasis>IGNORE</emphasis>: SSSD will ignore any DENY rules. Be very "
+"careful with this option, as it may result in opening unintended access."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:216
+msgid "Default: DENY_ALL"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ipa.5.xml:232
+msgid ""
+"The following example assumes that SSSD is correctly configured and example."
+"com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
+"This examples shows only the ipa provider-specific options."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-ipa.5.xml:239
+#, no-wrap
+msgid ""
+"    [domain/example.com]\n"
+"    id_provider = ipa\n"
+"    ipa_server = ipaserver.example.com\n"
+"    ipa_hostname = myhost.example.com\n"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ipa.5.xml:250
+msgid ""
+"<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
+"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sssd-krb5</refentrytitle><manvolnum>5</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sssd</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd.8.xml:10 sssd.8.xml:15
+msgid "sssd"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sssd.8.xml:16
+msgid "System Security Services Daemon"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: sssd.8.xml:21
+msgid ""
+"<command>sssd</command> <arg choice='opt'> <replaceable>options</"
+"replaceable> </arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.8.xml:31
+msgid ""
+"<command>SSSD</command> provides a set of daemons to manage access to remote "
+"directories and authentication mechanisms. It provides an NSS and PAM "
+"interface toward the system and a pluggable backend system to connect to "
+"multiple different account sources as well as D-Bus interface. It is also "
+"the basis to provide client auditing and policy services for projects like "
+"FreeIPA. It provides a more robust database to store local users as well as "
+"extended user data."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:46
+msgid ""
+"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</"
+"replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:51
+msgid ""
+"Debug level to run the daemon with. 0 is the default as well as the lowest "
+"allowed value, 10 is the most verbose mode. This setting overrides the "
+"settings from config file. This parameter implies <option>-i</option>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:70
+msgid "<option>-f</option>,<option>--debug-to-files</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:74
+msgid ""
+"Send the debug output to files instead of stderr. By default, the log files "
+"are stored in <filename>/var/log/sssd</filename> and there are separate log "
+"files for every SSSD service and domain."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:82
+msgid "<option>-D</option>,<option>--daemon</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:86
+msgid "Become a daemon after starting up."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:92
+msgid "<option>-i</option>,<option>--interactive</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:96
+msgid "Run in the foreground, don't become a daemon."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:102
+msgid "<option>-c</option>,<option>--config</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:106
+msgid ""
+"Specify a non-default config file. The default is <filename>/etc/sssd/sssd."
+"conf</filename>. For reference on the config file syntax and options, "
+"consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> manual page."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd.8.xml:122
+msgid "Signals"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:125
+msgid "SIGTERM/SIGINT"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:128
+msgid ""
+"Informs the SSSD to gracefully terminate all of its child processes and then "
+"shut down the monitor."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:134
+msgid "SIGHUP"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:137
+msgid ""
+"Tells the SSSD to stop writing to its current debug file descriptors and to "
+"close and reopen them. This is meant to facilitate log rolling with programs "
+"like logrotate."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:145
+msgid "SIGUSR1"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:148
+msgid ""
+"Tells the SSSD to simulate offline operation for one minute. This is mostly "
+"useful for testing purposes."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:154
+msgid "SIGUSR2"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:157
+msgid ""
+"Tells the SSSD to go online immediately. This is mostly useful for testing "
+"purposes."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.8.xml:168
+msgid ""
+"<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupadd</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_groupdel</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_groupmod</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_userdel</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15
+msgid "sss_obfuscate"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sss_obfuscate.8.xml:16
+msgid "obfuscate a clear text password"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: sss_obfuscate.8.xml:21
+msgid ""
+"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</"
+"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</"
+"replaceable></arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_obfuscate.8.xml:32
+msgid ""
+"<command>sss_obfuscate</command> converts a given password into human-"
+"unreadable format and places it into appropriate domain section of the SSSD "
+"config file."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_obfuscate.8.xml:37
+msgid ""
+"The cleartext password is read from standard input or entered "
+"interactively.  The obfuscated password is put into "
+"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the "
+"<quote>ldap_default_authtok_type</quote> parameter is set to "
+"<quote>obfuscated_password</quote>. Refer to <citerefentry> "
+"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+"citerefentry> for more details on these parameters."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_obfuscate.8.xml:49
+msgid ""
+"Please note that obfuscating the password provides <emphasis>no real "
+"security benefit</emphasis> as it is still possible for an attacker to "
+"reverse-engineer the password back. Using better authentication mechanisms "
+"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> "
+"advised."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_obfuscate.8.xml:63
+msgid "<option>-s</option>,<option>--stdin</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_obfuscate.8.xml:67
+msgid "The password to obfuscate will be read from standard input."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_obfuscate.8.xml:74
+msgid ""
+"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</"
+"replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_obfuscate.8.xml:79
+msgid ""
+"The SSSD domain to use the password in. The default name is <quote>default</"
+"quote>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_obfuscate.8.xml:86
+msgid ""
+"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_obfuscate.8.xml:91
+msgid "Read the config file specified by the positional parameter."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_obfuscate.8.xml:95
+msgid "Default: <filename>/etc/sssd/sssd.conf</filename>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_obfuscate.8.xml:105
+msgid ""
+"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sss_useradd.8.xml:10 sss_useradd.8.xml:15
+msgid "sss_useradd"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sss_useradd.8.xml:16
+msgid "create a new user"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: sss_useradd.8.xml:21
+msgid ""
+"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</"
+"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></"
+"arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_useradd.8.xml:32
+msgid ""
+"<command>sss_useradd</command> creates a new user account using the values "
+"specified on the command line plus the default values from the system."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_useradd.8.xml:43
+msgid ""
+"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_useradd.8.xml:48
+msgid ""
+"Set the UID of the user to the value of <replaceable>UID</replaceable>.  If "
+"not given, it is chosen automatically."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_useradd.8.xml:55 sss_usermod.8.xml:43
+msgid ""
+"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</"
+"replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_useradd.8.xml:60 sss_usermod.8.xml:48
+msgid ""
+"Any text string describing the user. Often used as the field for the user's "
+"full name."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_useradd.8.xml:67 sss_usermod.8.xml:55
+msgid ""
+"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</"
+"replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_useradd.8.xml:72
+msgid ""
+"The home directory of the user account.  The default is to append the "
+"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use "
+"that as the home directory.  The base that is prepended before "
+"<replaceable>LOGIN</replaceable> is tunable with <quote>user_defaults/"
+"baseDirectory</quote> setting in sssd.conf."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_useradd.8.xml:82 sss_usermod.8.xml:66
+msgid ""
+"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_useradd.8.xml:87
+msgid ""
+"The user's login shell. The default is currently <filename>/bin/bash</"
+"filename>.  The default can be changed with <quote>user_defaults/"
+"defaultShell</quote> setting in sssd.conf."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_useradd.8.xml:96
+msgid ""
+"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</"
+"replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_useradd.8.xml:101
+msgid "A list of existing groups this user is also a member of."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_useradd.8.xml:107
+msgid "<option>-m</option>,<option>--create-home</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_useradd.8.xml:111
+msgid ""
+"Create the user's home directory if it does not exist. The files and "
+"directories contained in the skeleton directory (which can be defined with "
+"the -k option or in the config file) will be copied to the home directory."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_useradd.8.xml:121
+msgid "<option>-M</option>,<option>--no-create-home</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_useradd.8.xml:125
+msgid ""
+"Do not create the user's home directory. Overrides configuration settings."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_useradd.8.xml:132
+msgid ""
+"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</"
+"replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_useradd.8.xml:137
+msgid ""
+"The skeleton directory, which contains files and directories to be copied in "
+"the user's home directory, when the home directory is created by "
+"<command>sss_useradd</command>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_useradd.8.xml:143
+msgid ""
+"This option is only valid if the <option>-m</option> (or <option>--create-"
+"home</option>) option is specified, or creation of home directories is set "
+"to TRUE in the configuration."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_useradd.8.xml:152 sss_usermod.8.xml:124
+msgid ""
+"<option>-Z</option>,<option>--selinux-user</option> "
+"<replaceable>SELINUX_USER</replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_useradd.8.xml:157
+msgid ""
+"The SELinux user for the user's login. If not specified, the system default "
+"will be used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_useradd.8.xml:169
+msgid ""
+"<citerefentry> <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupdel</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_groupmod</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_usermod</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16
+msgid "sssd-krb5"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-krb5.5.xml:23
+msgid ""
+"This manual page describes the configuration of the Kerberos 5 "
+"authentication backend for <citerefentry> <refentrytitle>sssd</"
+"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>.  For a detailed "
+"syntax reference, please refer to the <quote>FILE FORMAT</quote> section of "
+"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> manual page"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-krb5.5.xml:36
+msgid ""
+"The Kerberos 5 authentication backend contains auth and chpass providers. It "
+"must be paired with identity provider in order to function properly (for "
+"example, id_provider = ldap). Some information required by the Kerberos 5 "
+"authentication backend must be provided by the identity provider, such as "
+"the user's Kerberos Principal Name (UPN). The configuration of the identity "
+"provider should have an entry to specify the UPN. Please refer to the man "
+"page for the applicable identity provider for details on how to configure "
+"this."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-krb5.5.xml:47
+msgid ""
+"This backend also provides access control based on the .k5login file in the "
+"home directory of the user. See <citerefentry> <refentrytitle>.k5login</"
+"refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. "
+"Please note that an empty .k5login file will deny all access to this user. "
+"To activate this feature use 'access_provider = krb5' in your sssd "
+"configuration."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-krb5.5.xml:55
+msgid ""
+"In the case where the UPN is not available in the identity backend "
+"<command>sssd</command> will construct a UPN using the format "
+"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:106
+msgid ""
+"The name of the Kerberos realm. This option is required and must be "
+"specified."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:113
+msgid "krb5_kpasswd (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:116
+msgid ""
+"If the change password service is not running on the KDC alternative servers "
+"can be defined here. An optional port number (preceded by a colon) may be "
+"appended to the addresses or hostnames."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:122
+msgid ""
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section.  Please note that even if there are no more "
+"kpasswd servers to try the back end is not switch to offline if "
+"authentication against the KDC is still possible."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:129
+msgid "Default: Use the KDC"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:135
+msgid "krb5_ccachedir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:138
+msgid ""
+"Directory to store credential caches. All the substitution sequences of "
+"krb5_ccname_template can be used here, too, except %d and %P. If the "
+"directory does not exist it will be created. If %u, %U, %p or %h are used a "
+"private directory belonging to the user is created. Otherwise a public "
+"directory with restricted deletion flag (aka sticky bit, see <citerefentry> "
+"<refentrytitle>chmod</refentrytitle> <manvolnum>1</manvolnum> </"
+"citerefentry> for details) is created."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:151
+msgid "Default: /tmp"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:157
+msgid "krb5_ccname_template (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:171
+msgid "login UID"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:174
+msgid "%p"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:175
+msgid "principal name"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:179
+msgid "%r"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:180
+msgid "realm name"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:183
+msgid "%h"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:184
+msgid "home directory"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:189
+msgid "value of krb5ccache_dir"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:194
+msgid "%P"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:195
+msgid "the process ID of the sssd client"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:160
+msgid ""
+"Location of the user's credential cache. Currently only file based "
+"credential caches are supported. In the template the following sequences are "
+"substituted: <placeholder type=\"variablelist\" id=\"0\"/> If the template "
+"ends with 'XXXXXX' mkstemp(3) is used to create a unique filename in a safe "
+"way."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:209
+msgid "Default: FILE:%d/krb5cc_%U_XXXXXX"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:215
+msgid "krb5_auth_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:218
+msgid ""
+"Timeout in seconds after an online authentication or change password request "
+"is aborted. If possible the authentication request is continued offline."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:241
+msgid "krb5_keytab (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:244
+msgid ""
+"The location of the keytab to use when validating credentials obtained from "
+"KDCs."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:248
+msgid "Default: /etc/krb5.keytab"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:254
+msgid "krb5_store_password_if_offline (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:257
+msgid ""
+"Store the password of the user if the provider is offline and use it to "
+"request a TGT when the provider gets online again."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:262
+msgid ""
+"Please note that this feature currently only available on a Linux platform. "
+"Passwords stored in this way are kept in plaintext in the kernel keyring and "
+"are potentially accessible by the root user (with difficulty)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:275
+msgid "krb5_renewable_lifetime (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:278
+msgid ""
+"Request a renewable ticket with a total lifetime given by an integer "
+"immediately followed by one of the following delimiters:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
+msgid "<emphasis>s</emphasis> seconds"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
+msgid "<emphasis>m</emphasis> minutes"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
+msgid "<emphasis>h</emphasis> hours"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
+msgid "<emphasis>d</emphasis> days."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:295 sssd-krb5.5.xml:331
+msgid "If there is no delimiter <emphasis>s</emphasis> is assumed."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:299
+msgid ""
+"Please note that it is not possible to mix units.  If you want to set the "
+"renewable lifetime to one and a half hours please use '90m' instead of "
+"'1h30m'."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:305
+msgid "Default: not set, i.e. the TGT is not renewable"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:311
+msgid "krb5_lifetime (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:314
+msgid ""
+"Request ticket with a with a lifetime given by an integer immediately "
+"followed by one of the following delimiters:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:335
+msgid ""
+"Please note that it is not possible to mix units.  If you want to set the "
+"lifetime to one and a half hours please use '90m' instead of '1h30m'."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:340
+msgid ""
+"Default: not set, i.e. the default ticket lifetime configured on the KDC."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:347
+msgid "krb5_renew_interval (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:350
+msgid ""
+"The time in seconds between two checks if the TGT should be renewed. TGTs "
+"are renewed if about half of their lifetime is exceeded."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:355
+msgid "If this option is not set or 0 the automatic renewal is disabled."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:365
+msgid "krb5_use_fast (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:368
+msgid ""
+"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
+"authentication. The following options are supported:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:373
+msgid ""
+"<emphasis>never</emphasis> use FAST, this is equivalent to not set this "
+"option at all."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:377
+msgid ""
+"<emphasis>try</emphasis> to use FAST, if the server does not support fast "
+"continue without."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:381
+msgid ""
+"<emphasis>demand</emphasis> to use FAST, fail if the server does not require "
+"fast."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:385
+msgid "Default: not set, i.e. FAST is not used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:388
+msgid "Please note that a keytab is required to use fast."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:391
+msgid ""
+"Please note also that sssd supports fast only with MIT Kerberos version 1.8 "
+"and above. If sssd used used with an older version using this option is a "
+"configuration error."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-krb5.5.xml:65
+msgid ""
+"If the auth-module krb5 is used in a SSSD domain, the following options must "
+"be used. See the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> manual page, section <quote>DOMAIN "
+"SECTIONS</quote> for details on the configuration of a SSSD domain.  "
+"<placeholder type=\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-krb5.5.xml:410
+msgid ""
+"The following example assumes that SSSD is correctly configured and FOO is "
+"one of the domains in the <replaceable>[sssd]</replaceable> section. This "
+"example shows only configuration of Kerberos authentication, it does not "
+"include any identity provider."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-krb5.5.xml:418
+#, no-wrap
+msgid ""
+"    [domain/FOO]\n"
+"    auth_provider = krb5\n"
+"    krb5_server = 192.168.1.1\n"
+"    krb5_realm = EXAMPLE.COM\n"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-krb5.5.xml:429
+msgid ""
+"<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
+"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </citerefentry>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15
+msgid "sss_groupadd"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sss_groupadd.8.xml:16
+msgid "create a new group"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: sss_groupadd.8.xml:21
+msgid ""
+"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</"
+"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></"
+"arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_groupadd.8.xml:32
+msgid ""
+"<command>sss_groupadd</command> creates a new group. These groups are "
+"compatible with POSIX groups, with the additional feature that they can "
+"contain other groups as members."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_groupadd.8.xml:43
+msgid ""
+"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_groupadd.8.xml:48
+msgid ""
+"Set the GID of the group to the value of <replaceable>GID</replaceable>.  If "
+"not given, it is chosen automatically."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_groupadd.8.xml:60
+msgid ""
+"<citerefentry> <refentrytitle>sss_groupdel</refentrytitle><manvolnum>8</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupmod</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_useradd</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_usermod</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sss_userdel.8.xml:10 sss_userdel.8.xml:15
+msgid "sss_userdel"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sss_userdel.8.xml:16
+msgid "delete a user account"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: sss_userdel.8.xml:21
+msgid ""
+"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</"
+"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></"
+"arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_userdel.8.xml:32
+msgid ""
+"<command>sss_userdel</command> deletes a user identified by login name "
+"<replaceable>LOGIN</replaceable> from the system."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_userdel.8.xml:44
+msgid "<option>-r</option>,<option>--remove</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_userdel.8.xml:48
+msgid ""
+"Files in the user's home directory will be removed along with the home "
+"directory itself and the user's mail spool. Overrides the configuration."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_userdel.8.xml:56
+msgid "<option>-R</option>,<option>--no-remove</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_userdel.8.xml:60
+msgid ""
+"Files in the user's home directory will NOT be removed along with the home "
+"directory itself and the user's mail spool. Overrides the configuration."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_userdel.8.xml:68
+msgid "<option>-f</option>,<option>--force</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_userdel.8.xml:72
+msgid ""
+"This option forces <command>sss_userdel</command> to remove the user's home "
+"directory and mail spool, even if they are not owned by the specified user."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_userdel.8.xml:80
+msgid "<option>-k</option>,<option>--kick</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_userdel.8.xml:84
+msgid "Before actually deleting the user, terminate all his processes."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_userdel.8.xml:95
+msgid ""
+"<citerefentry> <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupdel</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_groupmod</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_groupshow</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_usermod</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15
+msgid "sss_groupdel"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sss_groupdel.8.xml:16
+msgid "delete a group"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: sss_groupdel.8.xml:21
+msgid ""
+"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</"
+"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></"
+"arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_groupdel.8.xml:32
+msgid ""
+"<command>sss_groupdel</command> deletes a group identified by its name "
+"<replaceable>GROUP</replaceable> from the system."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_groupdel.8.xml:48
+msgid ""
+"<citerefentry> <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupmod</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_useradd</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_usermod</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15
+msgid "sss_groupshow"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sss_groupshow.8.xml:16
+msgid "print properties of a group"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: sss_groupshow.8.xml:21
+msgid ""
+"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</"
+"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></"
+"arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_groupshow.8.xml:32
+msgid ""
+"<command>sss_groupshow</command> displays information about a group "
+"identified by its name <replaceable>GROUP</replaceable>. The information "
+"includes the group ID number, members of the group and the parent group."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_groupshow.8.xml:43
+msgid "<option>-R</option>,<option>--recursive</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_groupshow.8.xml:47
+msgid ""
+"Also print indirect group members in a tree-like hierarchy.  Note that this "
+"also affects printing parent groups - without <option>R</option>, only the "
+"direct parent will be printed."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_groupshow.8.xml:60
+msgid ""
+"<citerefentry> <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupmod</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_userdel</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sss_usermod.8.xml:10 sss_usermod.8.xml:15
+msgid "sss_usermod"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sss_usermod.8.xml:16
+msgid "modify a user account"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: sss_usermod.8.xml:21
+msgid ""
+"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</"
+"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></"
+"arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_usermod.8.xml:32
+msgid ""
+"<command>sss_usermod</command> modifies the account specified by "
+"<replaceable>LOGIN</replaceable> to reflect the changes that are specified "
+"on the command line."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_usermod.8.xml:60
+msgid "The home directory of the user account."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_usermod.8.xml:71
+msgid "The user's login shell."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_usermod.8.xml:82
+msgid ""
+"Append this user to groups specified by the <replaceable>GROUPS</"
+"replaceable> parameter.  The <replaceable>GROUPS</replaceable> parameter is "
+"a comma separated list of group names."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_usermod.8.xml:96
+msgid ""
+"Remove this user from groups specified by the <replaceable>GROUPS</"
+"replaceable> parameter."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_usermod.8.xml:103
+msgid "<option>-l</option>,<option>--lock</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_usermod.8.xml:107
+msgid "Lock the user account. The user won't be able to log in."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_usermod.8.xml:114
+msgid "<option>-u</option>,<option>--unlock</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_usermod.8.xml:118
+msgid "Unlock the user account."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_usermod.8.xml:129
+msgid "The SELinux user for the user's login."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_usermod.8.xml:140
+msgid ""
+"<citerefentry> <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupdel</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_groupmod</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_groupshow</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_userdel</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>."
+msgstr ""
+
+#. type: Content of: <refsect1><title>
+#: include/service_discovery.xml:2
+msgid "SERVICE DISCOVERY"
+msgstr ""
+
+#. type: Content of: <refsect1><para>
+#: include/service_discovery.xml:4
+msgid ""
+"The service discovery feature allows back ends to automatically find the "
+"appropriate servers to connect to using a special DNS query."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/service_discovery.xml:9
+msgid "Configuration"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/service_discovery.xml:11
+msgid ""
+"If no servers are specified, the back end automatically uses service "
+"discovery to try to find a server. Optionally, the user may choose to use "
+"both fixed server addresses and service discovery by inserting a special "
+"keyword, <quote>_srv_</quote>, in the list of servers. The order of "
+"preference is maintained. This feature is useful if, for example, the user "
+"prefers to use service discovery whenever possible, and fall back to a "
+"specific server when no servers can be discovered using DNS."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/service_discovery.xml:23
+msgid "The domain name"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/service_discovery.xml:25
+msgid ""
+"Please refer to the <quote>dns_discovery_domain</quote> parameter in the "
+"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> manual page for more details."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/service_discovery.xml:35
+msgid "The protocol"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/service_discovery.xml:37
+msgid ""
+"The queries usually specify _tcp as the protocol. Exceptions are documented "
+"in respective option description."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/service_discovery.xml:42
+msgid "See Also"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/service_discovery.xml:44
+msgid ""
+"For more information on the service discovery mechanism, refer to RFC 2782."
+msgstr ""
+
+#. type: Content of: outside any tag (error?)
+#: include/upstream.xml:1
+msgid "<placeholder type=\"refentryinfo\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <refsect1><title>
+#: include/failover.xml:2
+msgid "FAILOVER"
+msgstr ""
+
+#. type: Content of: <refsect1><para>
+#: include/failover.xml:4
+msgid ""
+"The failover feature allows back ends to automatically switch to a different "
+"server if the primary server fails."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/failover.xml:8
+msgid "Failover Syntax"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/failover.xml:10
+msgid ""
+"The list of servers is given as a comma-separated list; any number of spaces "
+"is allowed around the comma. The servers are listed in order of preference. "
+"The list can contain any number of servers."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/failover.xml:17
+msgid "The Failover Mechanism"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/failover.xml:19
+msgid ""
+"The failover mechanism distinguishes between a machine and a service. The "
+"back end first tries to resolve the hostname of a given machine; if this "
+"resolution attempt fails, the machine is considered offline. No further "
+"attempts are made to connect to this machine for any other service. If the "
+"resolution attempt succeeds, the back end tries to connect to a service on "
+"this machine. If the service connection attempt fails, then only this "
+"particular service is considered offline and the back end automatically "
+"switches over to the next service.  The machine is still considered online "
+"and might still be tried for another service."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/failover.xml:32
+msgid ""
+"Further connection attempts are made to machines or services marked as "
+"offline after a specified period of time; this is currently hard coded to 30 "
+"seconds."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/failover.xml:37
+msgid ""
+"If there are no more machines to try, the back end as a whole switches to "
+"offline mode, and then attempts to reconnect every 30 seconds."
+msgstr ""
+
+#. type: Content of: <varlistentry><term>
+#: include/param_help.xml:3
+msgid "<option>-h</option>,<option>--help</option>"
+msgstr ""
+
+#. type: Content of: <varlistentry><listitem><para>
+#: include/param_help.xml:7
+msgid "Display help message and exit."
+msgstr ""
diff --git a/src/man/po/fa.po b/src/man/po/fa.po
index 7d54b34d..30c79a24 100644
--- a/src/man/po/fa.po
+++ b/src/man/po/fa.po
@@ -6,7 +6,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: SSSD\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2011-08-29 10:42-0300\n"
+"POT-Creation-Date: 2011-10-18 13:34-0300\n"
 "PO-Revision-Date: 2011-06-30 18:20+0000\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Persian (http://www.transifex.net/projects/p/fedora/team/"
@@ -53,7 +53,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:41
+#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:44
 #: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21
 #: sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_useradd.8.xml:30
 #: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30
@@ -69,7 +69,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:39 pam_sss.8.xml:48 sssd.8.xml:42 sss_obfuscate.8.xml:58
+#: sss_groupmod.8.xml:39 pam_sss.8.xml:51 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
 msgid "OPTIONS"
@@ -105,10 +105,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1106 sssd-ldap.5.xml:1432
-#: pam_sss.8.xml:128 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
+#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1130 sssd-ldap.5.xml:1432
+#: pam_sss.8.xml:139 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
 #: sssd-ipa.5.xml:248 sssd.8.xml:166 sss_obfuscate.8.xml:103
-#: sss_useradd.8.xml:167 sssd-krb5.5.xml:424 sss_groupadd.8.xml:58
+#: sss_useradd.8.xml:167 sssd-krb5.5.xml:427 sss_groupadd.8.xml:58
 #: sss_userdel.8.xml:93 sss_groupdel.8.xml:46 sss_groupshow.8.xml:58
 #: sss_usermod.8.xml:138
 msgid "SEE ALSO"
@@ -214,7 +214,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:70 sssd.conf.5.xml:952
+#: sssd.conf.5.xml:70 sssd.conf.5.xml:976
 msgid "Section parameters"
 msgstr ""
 
@@ -247,19 +247,19 @@ msgid "Supported services: nss, pam"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:93 sssd.conf.5.xml:234
+#: sssd.conf.5.xml:93 sssd.conf.5.xml:254
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:96 sssd.conf.5.xml:237
+#: sssd.conf.5.xml:96 sssd.conf.5.xml:257
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:101 sssd.conf.5.xml:242
+#: sssd.conf.5.xml:101 sssd.conf.5.xml:262
 msgid "Default: 3"
 msgstr ""
 
@@ -366,6 +366,32 @@ msgid ""
 "unavailable. On these platforms, polling will always be used."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:189
+msgid "krb5_rcache_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:192
+msgid ""
+"Directory on the filesystem where SSSD should store Kerberos replay cache "
+"files."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:196
+msgid ""
+"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
+"SSSD to let libkrb5 decide the appropriate location for the replay cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:202
+msgid ""
+"Default: Distribution-specific and specified at build-time. "
+"(__LIBKRB5_DEFAULTS__ if not configured)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:63
 msgid ""
@@ -378,12 +404,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:195
+#: sssd.conf.5.xml:215
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:197
+#: sssd.conf.5.xml:217
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -392,55 +418,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:204
+#: sssd.conf.5.xml:224
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:206
+#: sssd.conf.5.xml:226
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:210
+#: sssd.conf.5.xml:230
 msgid "debug_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:213
+#: sssd.conf.5.xml:233
 msgid ""
 "Sets the debug level for the service. The value can be in range from 0 (only "
 "critical messages) to 10 (very verbose)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:218 sssd.conf.5.xml:312
+#: sssd.conf.5.xml:238 sssd.conf.5.xml:332
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:223 sssd.8.xml:58
+#: sssd.conf.5.xml:243 sssd.8.xml:58
 msgid "debug_timestamps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:226 sssd.8.xml:61
+#: sssd.conf.5.xml:246 sssd.8.xml:61
 msgid "Add a timestamp to the debug messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:229 sssd.conf.5.xml:353 sssd-ldap.5.xml:1058
+#: sssd.conf.5.xml:249 sssd.conf.5.xml:373 sssd-ldap.5.xml:1058
 #: sssd-ldap.5.xml:1163 sssd-ipa.5.xml:155
 msgid "Default: true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:247
+#: sssd.conf.5.xml:267
 msgid "command (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:250
+#: sssd.conf.5.xml:270
 msgid ""
 "By default, the executable representing this service is called <command>sssd_"
 "${service_name}</command>.  This directive allows to change the executable "
@@ -449,45 +475,45 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:258
+#: sssd.conf.5.xml:278
 msgid "Default: <command>sssd_${service_name}</command>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:266
+#: sssd.conf.5.xml:286
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:268
+#: sssd.conf.5.xml:288
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:273
+#: sssd.conf.5.xml:293
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:276
+#: sssd.conf.5.xml:296
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:280
+#: sssd.conf.5.xml:300
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:285
+#: sssd.conf.5.xml:305
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:288
+#: sssd.conf.5.xml:308
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -495,7 +521,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:294
+#: sssd.conf.5.xml:314
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -505,7 +531,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304
+#: sssd.conf.5.xml:324
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -514,12 +540,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:317
+#: sssd.conf.5.xml:337
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:320
+#: sssd.conf.5.xml:340
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -527,17 +553,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:326 sssd-krb5.5.xml:223
+#: sssd.conf.5.xml:346 sssd-krb5.5.xml:223
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:331
+#: sssd.conf.5.xml:351
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:334
+#: sssd.conf.5.xml:354
 msgid ""
 "Exclude certain users from being fetched from the sss NSS database. This is "
 "particularly useful for system accounts. This option can also be set per-"
@@ -546,78 +572,78 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:341
+#: sssd.conf.5.xml:361
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:346
+#: sssd.conf.5.xml:366
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:369
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:358
+#: sssd.conf.5.xml:378
 msgid "override_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:367 sssd-krb5.5.xml:166
+#: sssd.conf.5.xml:387 sssd-krb5.5.xml:166
 msgid "%u"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:368 sssd-krb5.5.xml:167
+#: sssd.conf.5.xml:388 sssd-krb5.5.xml:167
 msgid "login name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:371 sssd-krb5.5.xml:170
+#: sssd.conf.5.xml:391 sssd-krb5.5.xml:170
 msgid "%U"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:392
 msgid "UID number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:375 sssd-krb5.5.xml:188
+#: sssd.conf.5.xml:395 sssd-krb5.5.xml:188
 msgid "%d"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:376
+#: sssd.conf.5.xml:396
 msgid "domain name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:379
+#: sssd.conf.5.xml:399
 msgid "%f"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:380
+#: sssd.conf.5.xml:400
 msgid "fully qualified user name (user@domain)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:383 sssd-krb5.5.xml:200
+#: sssd.conf.5.xml:403 sssd-krb5.5.xml:200
 msgid "%%"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:384 sssd-krb5.5.xml:201
+#: sssd.conf.5.xml:404 sssd-krb5.5.xml:201
 msgid "a literal '%'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:361
+#: sssd.conf.5.xml:381
 msgid ""
 "Override the user's home directory. You can either provide an absolute value "
 "or a template. In the template, the following sequences are substituted: "
@@ -625,138 +651,138 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:390
+#: sssd.conf.5.xml:410
 msgid "This option can also be set per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:395
+#: sssd.conf.5.xml:415
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:398
+#: sssd.conf.5.xml:418
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:401
+#: sssd.conf.5.xml:421
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:405
+#: sssd.conf.5.xml:425
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:410
+#: sssd.conf.5.xml:430
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:415
+#: sssd.conf.5.xml:435
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:418
+#: sssd.conf.5.xml:438
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:422
+#: sssd.conf.5.xml:442
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:427
+#: sssd.conf.5.xml:447
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:430
+#: sssd.conf.5.xml:450
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:435
+#: sssd.conf.5.xml:455
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:438
+#: sssd.conf.5.xml:458
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:442
+#: sssd.conf.5.xml:462
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:469
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:451
+#: sssd.conf.5.xml:471
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:456
+#: sssd.conf.5.xml:476
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:459
+#: sssd.conf.5.xml:479
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:464 sssd.conf.5.xml:477
+#: sssd.conf.5.xml:484 sssd.conf.5.xml:497
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:490
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:473
+#: sssd.conf.5.xml:493
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:483
+#: sssd.conf.5.xml:503
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:506
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:491
+#: sssd.conf.5.xml:511
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -764,59 +790,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:497 sssd.conf.5.xml:550 sssd.conf.5.xml:882
+#: sssd.conf.5.xml:517 sssd.conf.5.xml:570 sssd.conf.5.xml:906
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:523
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:506
+#: sssd.conf.5.xml:526
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:511
+#: sssd.conf.5.xml:531
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:514
+#: sssd.conf.5.xml:534
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:517
+#: sssd.conf.5.xml:537
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:541
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:524
+#: sssd.conf.5.xml:544
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:528
+#: sssd.conf.5.xml:548
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:533
+#: sssd.conf.5.xml:553
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:536
+#: sssd.conf.5.xml:556
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -824,7 +850,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:542
+#: sssd.conf.5.xml:562
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -833,17 +859,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:556
+#: sssd.conf.5.xml:576
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:559
+#: sssd.conf.5.xml:579
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:562
+#: sssd.conf.5.xml:582
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -851,29 +877,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:588
 msgid "Default: 7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:577
+#: sssd.conf.5.xml:597
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:584
+#: sssd.conf.5.xml:604
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:587
+#: sssd.conf.5.xml:607
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:592
+#: sssd.conf.5.xml:612
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -882,56 +908,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:599
+#: sssd.conf.5.xml:619
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:625
 msgid "timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:608
+#: sssd.conf.5.xml:628
 msgid ""
 "Timeout in seconds between heartbeats for this domain.  This is used to "
 "ensure that the backend process is alive and capable of answering requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:633
 msgid "Default: 10"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:639
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:642
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:626
+#: sssd.conf.5.xml:646
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:629
+#: sssd.conf.5.xml:649
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:632 sssd.conf.5.xml:680 sssd.conf.5.xml:734
+#: sssd.conf.5.xml:652 sssd.conf.5.xml:704 sssd.conf.5.xml:758
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:635
+#: sssd.conf.5.xml:655
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -941,14 +967,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:645
+#: sssd.conf.5.xml:665
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:650
+#: sssd.conf.5.xml:670
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -957,39 +983,44 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:661
+#: sssd.conf.5.xml:681
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:664
+#: sssd.conf.5.xml:684
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:688
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:693
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676
+#: sssd.conf.5.xml:696
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:700
+msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:685
+#: sssd.conf.5.xml:709
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:688
+#: sssd.conf.5.xml:712
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -998,47 +1029,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:695
+#: sssd.conf.5.xml:719
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:725
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:728
 msgid "The Data Provider identity backend to use for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:708
+#: sssd.conf.5.xml:732
 msgid "Supported backends:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:711
+#: sssd.conf.5.xml:735
 msgid "proxy: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:714
+#: sssd.conf.5.xml:738
 msgid "local: SSSD internal local provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:717
+#: sssd.conf.5.xml:741
 msgid "ldap: LDAP provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:747
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:750
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -1047,19 +1078,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:739
+#: sssd.conf.5.xml:763
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:766
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:746
+#: sssd.conf.5.xml:770
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1067,7 +1098,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:777
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1075,30 +1106,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:784
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:787
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:766
+#: sssd.conf.5.xml:790
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:796
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:775
+#: sssd.conf.5.xml:799
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -1106,17 +1137,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:781
+#: sssd.conf.5.xml:805
 msgid "<quote>permit</quote> always allow access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:784
+#: sssd.conf.5.xml:808
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:811
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -1125,24 +1156,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:818
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:823
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:826
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:831
 msgid ""
 "<quote>ipa</quote> to change a password stored in an IPA server.  See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -1150,7 +1181,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:815
+#: sssd.conf.5.xml:839
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -1158,7 +1189,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:823
+#: sssd.conf.5.xml:847
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1166,72 +1197,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:831
+#: sssd.conf.5.xml:855
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:835
+#: sssd.conf.5.xml:859
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838
+#: sssd.conf.5.xml:862
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:845
+#: sssd.conf.5.xml:869
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:848
+#: sssd.conf.5.xml:872
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:876
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:855
+#: sssd.conf.5.xml:879
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:858
+#: sssd.conf.5.xml:882
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:861
+#: sssd.conf.5.xml:885
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:864
+#: sssd.conf.5.xml:888
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:867
+#: sssd.conf.5.xml:891
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:873
+#: sssd.conf.5.xml:897
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:876
+#: sssd.conf.5.xml:900
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -1239,34 +1270,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:912
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:891
+#: sssd.conf.5.xml:915
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:919
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:901
+#: sssd.conf.5.xml:925
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:904
+#: sssd.conf.5.xml:928
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:579
+#: sssd.conf.5.xml:599
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -1274,29 +1305,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:940
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:943
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:922
+#: sssd.conf.5.xml:946
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:954
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:933
+#: sssd.conf.5.xml:957
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -1304,19 +1335,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:912
+#: sssd.conf.5.xml:936
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:945
+#: sssd.conf.5.xml:969
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:971
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -1324,73 +1355,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:954
+#: sssd.conf.5.xml:978
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:981
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:985
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:966
+#: sssd.conf.5.xml:990
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:969
+#: sssd.conf.5.xml:993
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974
+#: sssd.conf.5.xml:998
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1003
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1006
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986 sssd.conf.5.xml:998
+#: sssd.conf.5.xml:1010 sssd.conf.5.xml:1022
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:991
+#: sssd.conf.5.xml:1015
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:994
+#: sssd.conf.5.xml:1018
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1003
+#: sssd.conf.5.xml:1027
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1030
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -1398,17 +1429,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014
+#: sssd.conf.5.xml:1038
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1043
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1022
+#: sssd.conf.5.xml:1046
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -1417,17 +1448,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:1056
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1037
+#: sssd.conf.5.xml:1061
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1040
+#: sssd.conf.5.xml:1064
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -1435,17 +1466,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1047
+#: sssd.conf.5.xml:1071
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1076
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1055
+#: sssd.conf.5.xml:1079
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -1453,18 +1484,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1061
+#: sssd.conf.5.xml:1085
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1071 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
-#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:405
+#: sssd.conf.5.xml:1095 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
+#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:408
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:1077
+#: sssd.conf.5.xml:1101
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -1494,7 +1525,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1073
+#: sssd.conf.5.xml:1097
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -1503,7 +1534,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1108
+#: sssd.conf.5.xml:1132
 msgid ""
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
@@ -1603,10 +1634,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:88
 msgid ""
-"Specifies the list of URIs of the LDAP servers to which SSSD should connect "
-"in the order of preference to change the password of a user. Refer to the "
-"<quote>FAILOVER</quote> section for more information on failover and server "
-"redundancy."
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference to change the password of a user. "
+"Refer to the <quote>FAILOVER</quote> section for more information on "
+"failover and server redundancy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -2086,7 +2117,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:519 sssd-ldap.5.xml:990 sssd-ipa.5.xml:115 sssd.8.xml:64
-#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:266
+#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:269
 msgid "Default: false"
 msgstr ""
 
@@ -2527,7 +2558,7 @@ msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:356
+#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:359
 msgid "Default: not set"
 msgstr ""
 
@@ -2668,12 +2699,13 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:1080 sssd-krb5.5.xml:77
 msgid ""
-"Specifies the list of IP addresses or hostnames of the Kerberos servers to "
-"which SSSD should connect in the order of preference. For more information "
-"on failover and server redundancy, see the <quote>FAILOVER</quote> section. "
-"An optional port number (preceded by a colon) may be appended to the "
-"addresses or hostnames.  If empty, service discovery is enabled - for more "
-"information, refer to the <quote>SERVICE DISCOVERY</quote> section."
+"Specifies the comma-separated list of IP addresses or hostnames of the "
+"Kerberos servers to which SSSD should connect in the order of preference. "
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
+"colon) may be appended to the addresses or hostnames.  If empty, service "
+"discovery is enabled - for more information, refer to the <quote>SERVICE "
+"DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -3058,7 +3090,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ldap.5.xml:1407 sssd-simple.5.xml:134 sssd-ipa.5.xml:238
-#: sssd-krb5.5.xml:414
+#: sssd-krb5.5.xml:417
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -3105,7 +3137,8 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
 #: pam_sss.8.xml:24
 msgid ""
-"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>forward_pass</"
+"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
@@ -3113,7 +3146,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:42
+#: pam_sss.8.xml:45
 msgid ""
 "<command>pam_sss.so</command> is the PAM interface to the System Security "
 "Services daemon (SSSD). Errors and results are logged through <command>syslog"
@@ -3121,24 +3154,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:52
+#: pam_sss.8.xml:55
+msgid "<option>quiet</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:58
+msgid "Suppress log messages for unknown users."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:63
 msgid "<option>forward_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:55
+#: pam_sss.8.xml:66
 msgid ""
 "If <option>forward_pass</option> is set the entered password is put on the "
 "stack for other PAM modules to use."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:62
+#: pam_sss.8.xml:73
 msgid "<option>use_first_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:65
+#: pam_sss.8.xml:76
 msgid ""
 "The argument use_first_pass forces the module to use a previous stacked "
 "modules password and will never prompt the user - if no password is "
@@ -3146,31 +3189,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:73
+#: pam_sss.8.xml:84
 msgid "<option>use_authtok</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:76
+#: pam_sss.8.xml:87
 msgid ""
 "When password changing enforce the module to set the new password to the one "
 "provided by a previously stacked password module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:83
+#: pam_sss.8.xml:94
 msgid "<option>retry=N</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:86
+#: pam_sss.8.xml:97
 msgid ""
 "If specified the user is asked another N times for a password if "
 "authentication fails. Default is 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:88
+#: pam_sss.8.xml:99
 msgid ""
 "Please note that this option might not work as expected if the application "
 "calling PAM handles the user dialog on its own. A typical example is "
@@ -3178,24 +3221,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:99
+#: pam_sss.8.xml:110
 msgid "MODULE TYPES PROVIDED"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:100
+#: pam_sss.8.xml:111
 msgid ""
 "All module types (<option>account</option>, <option>auth</option>, "
 "<option>password</option> and <option>session</option>) are provided."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:106
+#: pam_sss.8.xml:117
 msgid "FILES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:107
+#: pam_sss.8.xml:118
 msgid ""
 "If a password reset by root fails, because the corresponding SSSD provider "
 "does not support password resets, an individual message can be displayed. "
@@ -3203,7 +3246,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:112
+#: pam_sss.8.xml:123
 msgid ""
 "The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
 "filename> where LOC stands for a locale string returned by <citerefentry> "
@@ -3215,7 +3258,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:122
+#: pam_sss.8.xml:133
 msgid ""
 "These files are searched in the directory <filename>/etc/sssd/customize/"
 "DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
@@ -3223,7 +3266,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:130
+#: pam_sss.8.xml:141
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>8</"
 "manvolnum> </citerefentry>"
@@ -3483,11 +3526,11 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ipa.5.xml:83
 msgid ""
-"The list of IP addresses or hostnames of the IPA servers to which SSSD "
-"should connect in the order of preference. For more information on failover "
-"and server redundancy, see the <quote>FAILOVER</quote> section.  This is "
-"optional if autodiscovery is enabled.  For more information on service "
-"discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
+"The comma-separated list of IP addresses or hostnames of the IPA servers to "
+"which SSSD should connect in the order of preference. For more information "
+"on failover and server redundancy, see the <quote>FAILOVER</quote> section.  "
+"This is optional if autodiscovery is enabled.  For more information on "
+"service discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
@@ -4303,48 +4346,50 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:262
 msgid ""
-"Please note that this feature currently only available on a Linux platform."
+"Please note that this feature currently only available on a Linux platform. "
+"Passwords stored in this way are kept in plaintext in the kernel keyring and "
+"are potentially accessible by the root user (with difficulty)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:272
+#: sssd-krb5.5.xml:275
 msgid "krb5_renewable_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:275
+#: sssd-krb5.5.xml:278
 msgid ""
 "Request a renewable ticket with a total lifetime given by an integer "
 "immediately followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:280 sssd-krb5.5.xml:316
+#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
 msgid "<emphasis>s</emphasis> seconds"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
+#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
 msgid "<emphasis>m</emphasis> minutes"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
+#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
 msgid "<emphasis>h</emphasis> hours"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
+#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
 msgid "<emphasis>d</emphasis> days."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
+#: sssd-krb5.5.xml:295 sssd-krb5.5.xml:331
 msgid "If there is no delimiter <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:296
+#: sssd-krb5.5.xml:299
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "renewable lifetime to one and a half hours please use '90m' instead of "
@@ -4352,97 +4397,97 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:302
+#: sssd-krb5.5.xml:305
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:308
+#: sssd-krb5.5.xml:311
 msgid "krb5_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:311
+#: sssd-krb5.5.xml:314
 msgid ""
 "Request ticket with a with a lifetime given by an integer immediately "
 "followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:332
+#: sssd-krb5.5.xml:335
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "lifetime to one and a half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:337
+#: sssd-krb5.5.xml:340
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:344
+#: sssd-krb5.5.xml:347
 msgid "krb5_renew_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:347
+#: sssd-krb5.5.xml:350
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:352
+#: sssd-krb5.5.xml:355
 msgid "If this option is not set or 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:362
+#: sssd-krb5.5.xml:365
 msgid "krb5_use_fast (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:365
+#: sssd-krb5.5.xml:368
 msgid ""
 "Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
 "authentication. The following options are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:370
+#: sssd-krb5.5.xml:373
 msgid ""
 "<emphasis>never</emphasis> use FAST, this is equivalent to not set this "
 "option at all."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:374
+#: sssd-krb5.5.xml:377
 msgid ""
 "<emphasis>try</emphasis> to use FAST, if the server does not support fast "
 "continue without."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:378
+#: sssd-krb5.5.xml:381
 msgid ""
 "<emphasis>demand</emphasis> to use FAST, fail if the server does not require "
 "fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:382
+#: sssd-krb5.5.xml:385
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:385
+#: sssd-krb5.5.xml:388
 msgid "Please note that a keytab is required to use fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:388
+#: sssd-krb5.5.xml:391
 msgid ""
 "Please note also that sssd supports fast only with MIT Kerberos version 1.8 "
 "and above. If sssd used used with an older version using this option is a "
@@ -4460,7 +4505,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:407
+#: sssd-krb5.5.xml:410
 msgid ""
 "The following example assumes that SSSD is correctly configured and FOO is "
 "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
@@ -4469,7 +4514,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-krb5.5.xml:415
+#: sssd-krb5.5.xml:418
 #, no-wrap
 msgid ""
 "    [domain/FOO]\n"
@@ -4479,7 +4524,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:426
+#: sssd-krb5.5.xml:429
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
diff --git a/src/man/po/fa_IR.po b/src/man/po/fa_IR.po
index d5b686a3..a8d3e723 100644
--- a/src/man/po/fa_IR.po
+++ b/src/man/po/fa_IR.po
@@ -2,15 +2,15 @@
 # Copyright (C) YEAR Red Hat
 # This file is distributed under the same license as the sssd-docs package.
 #
+# Translators:
 msgid ""
 msgstr ""
 "Project-Id-Version: SSSD\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2011-08-29 10:42-0300\n"
-"PO-Revision-Date: 2011-08-05 11:40+0000\n"
+"POT-Creation-Date: 2011-10-18 13:34-0300\n"
+"PO-Revision-Date: 2010-12-23 15:35+0000\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
-"Language-Team: Persian (Iran) (http://www.transifex.net/projects/p/fedora/"
-"team/fa_IR/)\n"
+"Language-Team: LANGUAGE <LL@li.org>\n"
 "Language: fa_IR\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
@@ -53,7 +53,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:41
+#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:44
 #: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21
 #: sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_useradd.8.xml:30
 #: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30
@@ -69,7 +69,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:39 pam_sss.8.xml:48 sssd.8.xml:42 sss_obfuscate.8.xml:58
+#: sss_groupmod.8.xml:39 pam_sss.8.xml:51 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
 msgid "OPTIONS"
@@ -105,10 +105,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1106 sssd-ldap.5.xml:1432
-#: pam_sss.8.xml:128 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
+#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1130 sssd-ldap.5.xml:1432
+#: pam_sss.8.xml:139 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
 #: sssd-ipa.5.xml:248 sssd.8.xml:166 sss_obfuscate.8.xml:103
-#: sss_useradd.8.xml:167 sssd-krb5.5.xml:424 sss_groupadd.8.xml:58
+#: sss_useradd.8.xml:167 sssd-krb5.5.xml:427 sss_groupadd.8.xml:58
 #: sss_userdel.8.xml:93 sss_groupdel.8.xml:46 sss_groupshow.8.xml:58
 #: sss_usermod.8.xml:138
 msgid "SEE ALSO"
@@ -214,7 +214,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:70 sssd.conf.5.xml:952
+#: sssd.conf.5.xml:70 sssd.conf.5.xml:976
 msgid "Section parameters"
 msgstr ""
 
@@ -247,19 +247,19 @@ msgid "Supported services: nss, pam"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:93 sssd.conf.5.xml:234
+#: sssd.conf.5.xml:93 sssd.conf.5.xml:254
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:96 sssd.conf.5.xml:237
+#: sssd.conf.5.xml:96 sssd.conf.5.xml:257
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:101 sssd.conf.5.xml:242
+#: sssd.conf.5.xml:101 sssd.conf.5.xml:262
 msgid "Default: 3"
 msgstr ""
 
@@ -366,6 +366,32 @@ msgid ""
 "unavailable. On these platforms, polling will always be used."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:189
+msgid "krb5_rcache_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:192
+msgid ""
+"Directory on the filesystem where SSSD should store Kerberos replay cache "
+"files."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:196
+msgid ""
+"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
+"SSSD to let libkrb5 decide the appropriate location for the replay cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:202
+msgid ""
+"Default: Distribution-specific and specified at build-time. "
+"(__LIBKRB5_DEFAULTS__ if not configured)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:63
 msgid ""
@@ -378,12 +404,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:195
+#: sssd.conf.5.xml:215
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:197
+#: sssd.conf.5.xml:217
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -392,55 +418,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:204
+#: sssd.conf.5.xml:224
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:206
+#: sssd.conf.5.xml:226
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:210
+#: sssd.conf.5.xml:230
 msgid "debug_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:213
+#: sssd.conf.5.xml:233
 msgid ""
 "Sets the debug level for the service. The value can be in range from 0 (only "
 "critical messages) to 10 (very verbose)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:218 sssd.conf.5.xml:312
+#: sssd.conf.5.xml:238 sssd.conf.5.xml:332
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:223 sssd.8.xml:58
+#: sssd.conf.5.xml:243 sssd.8.xml:58
 msgid "debug_timestamps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:226 sssd.8.xml:61
+#: sssd.conf.5.xml:246 sssd.8.xml:61
 msgid "Add a timestamp to the debug messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:229 sssd.conf.5.xml:353 sssd-ldap.5.xml:1058
+#: sssd.conf.5.xml:249 sssd.conf.5.xml:373 sssd-ldap.5.xml:1058
 #: sssd-ldap.5.xml:1163 sssd-ipa.5.xml:155
 msgid "Default: true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:247
+#: sssd.conf.5.xml:267
 msgid "command (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:250
+#: sssd.conf.5.xml:270
 msgid ""
 "By default, the executable representing this service is called <command>sssd_"
 "${service_name}</command>.  This directive allows to change the executable "
@@ -449,45 +475,45 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:258
+#: sssd.conf.5.xml:278
 msgid "Default: <command>sssd_${service_name}</command>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:266
+#: sssd.conf.5.xml:286
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:268
+#: sssd.conf.5.xml:288
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:273
+#: sssd.conf.5.xml:293
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:276
+#: sssd.conf.5.xml:296
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:280
+#: sssd.conf.5.xml:300
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:285
+#: sssd.conf.5.xml:305
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:288
+#: sssd.conf.5.xml:308
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -495,7 +521,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:294
+#: sssd.conf.5.xml:314
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -505,7 +531,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304
+#: sssd.conf.5.xml:324
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -514,12 +540,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:317
+#: sssd.conf.5.xml:337
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:320
+#: sssd.conf.5.xml:340
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -527,17 +553,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:326 sssd-krb5.5.xml:223
+#: sssd.conf.5.xml:346 sssd-krb5.5.xml:223
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:331
+#: sssd.conf.5.xml:351
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:334
+#: sssd.conf.5.xml:354
 msgid ""
 "Exclude certain users from being fetched from the sss NSS database. This is "
 "particularly useful for system accounts. This option can also be set per-"
@@ -546,78 +572,78 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:341
+#: sssd.conf.5.xml:361
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:346
+#: sssd.conf.5.xml:366
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:369
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:358
+#: sssd.conf.5.xml:378
 msgid "override_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:367 sssd-krb5.5.xml:166
+#: sssd.conf.5.xml:387 sssd-krb5.5.xml:166
 msgid "%u"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:368 sssd-krb5.5.xml:167
+#: sssd.conf.5.xml:388 sssd-krb5.5.xml:167
 msgid "login name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:371 sssd-krb5.5.xml:170
+#: sssd.conf.5.xml:391 sssd-krb5.5.xml:170
 msgid "%U"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:392
 msgid "UID number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:375 sssd-krb5.5.xml:188
+#: sssd.conf.5.xml:395 sssd-krb5.5.xml:188
 msgid "%d"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:376
+#: sssd.conf.5.xml:396
 msgid "domain name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:379
+#: sssd.conf.5.xml:399
 msgid "%f"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:380
+#: sssd.conf.5.xml:400
 msgid "fully qualified user name (user@domain)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:383 sssd-krb5.5.xml:200
+#: sssd.conf.5.xml:403 sssd-krb5.5.xml:200
 msgid "%%"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:384 sssd-krb5.5.xml:201
+#: sssd.conf.5.xml:404 sssd-krb5.5.xml:201
 msgid "a literal '%'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:361
+#: sssd.conf.5.xml:381
 msgid ""
 "Override the user's home directory. You can either provide an absolute value "
 "or a template. In the template, the following sequences are substituted: "
@@ -625,138 +651,138 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:390
+#: sssd.conf.5.xml:410
 msgid "This option can also be set per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:395
+#: sssd.conf.5.xml:415
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:398
+#: sssd.conf.5.xml:418
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:401
+#: sssd.conf.5.xml:421
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:405
+#: sssd.conf.5.xml:425
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:410
+#: sssd.conf.5.xml:430
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:415
+#: sssd.conf.5.xml:435
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:418
+#: sssd.conf.5.xml:438
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:422
+#: sssd.conf.5.xml:442
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:427
+#: sssd.conf.5.xml:447
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:430
+#: sssd.conf.5.xml:450
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:435
+#: sssd.conf.5.xml:455
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:438
+#: sssd.conf.5.xml:458
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:442
+#: sssd.conf.5.xml:462
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:469
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:451
+#: sssd.conf.5.xml:471
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:456
+#: sssd.conf.5.xml:476
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:459
+#: sssd.conf.5.xml:479
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:464 sssd.conf.5.xml:477
+#: sssd.conf.5.xml:484 sssd.conf.5.xml:497
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:490
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:473
+#: sssd.conf.5.xml:493
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:483
+#: sssd.conf.5.xml:503
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:506
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:491
+#: sssd.conf.5.xml:511
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -764,59 +790,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:497 sssd.conf.5.xml:550 sssd.conf.5.xml:882
+#: sssd.conf.5.xml:517 sssd.conf.5.xml:570 sssd.conf.5.xml:906
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:523
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:506
+#: sssd.conf.5.xml:526
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:511
+#: sssd.conf.5.xml:531
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:514
+#: sssd.conf.5.xml:534
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:517
+#: sssd.conf.5.xml:537
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:541
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:524
+#: sssd.conf.5.xml:544
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:528
+#: sssd.conf.5.xml:548
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:533
+#: sssd.conf.5.xml:553
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:536
+#: sssd.conf.5.xml:556
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -824,7 +850,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:542
+#: sssd.conf.5.xml:562
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -833,17 +859,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:556
+#: sssd.conf.5.xml:576
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:559
+#: sssd.conf.5.xml:579
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:562
+#: sssd.conf.5.xml:582
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -851,29 +877,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:588
 msgid "Default: 7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:577
+#: sssd.conf.5.xml:597
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:584
+#: sssd.conf.5.xml:604
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:587
+#: sssd.conf.5.xml:607
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:592
+#: sssd.conf.5.xml:612
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -882,56 +908,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:599
+#: sssd.conf.5.xml:619
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:625
 msgid "timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:608
+#: sssd.conf.5.xml:628
 msgid ""
 "Timeout in seconds between heartbeats for this domain.  This is used to "
 "ensure that the backend process is alive and capable of answering requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:633
 msgid "Default: 10"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:639
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:642
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:626
+#: sssd.conf.5.xml:646
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:629
+#: sssd.conf.5.xml:649
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:632 sssd.conf.5.xml:680 sssd.conf.5.xml:734
+#: sssd.conf.5.xml:652 sssd.conf.5.xml:704 sssd.conf.5.xml:758
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:635
+#: sssd.conf.5.xml:655
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -941,14 +967,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:645
+#: sssd.conf.5.xml:665
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:650
+#: sssd.conf.5.xml:670
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -957,39 +983,44 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:661
+#: sssd.conf.5.xml:681
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:664
+#: sssd.conf.5.xml:684
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:688
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:693
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676
+#: sssd.conf.5.xml:696
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:700
+msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:685
+#: sssd.conf.5.xml:709
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:688
+#: sssd.conf.5.xml:712
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -998,47 +1029,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:695
+#: sssd.conf.5.xml:719
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:725
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:728
 msgid "The Data Provider identity backend to use for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:708
+#: sssd.conf.5.xml:732
 msgid "Supported backends:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:711
+#: sssd.conf.5.xml:735
 msgid "proxy: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:714
+#: sssd.conf.5.xml:738
 msgid "local: SSSD internal local provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:717
+#: sssd.conf.5.xml:741
 msgid "ldap: LDAP provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:747
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:750
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -1047,19 +1078,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:739
+#: sssd.conf.5.xml:763
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:766
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:746
+#: sssd.conf.5.xml:770
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1067,7 +1098,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:777
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1075,30 +1106,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:784
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:787
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:766
+#: sssd.conf.5.xml:790
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:796
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:775
+#: sssd.conf.5.xml:799
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -1106,17 +1137,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:781
+#: sssd.conf.5.xml:805
 msgid "<quote>permit</quote> always allow access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:784
+#: sssd.conf.5.xml:808
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:811
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -1125,24 +1156,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:818
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:823
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:826
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:831
 msgid ""
 "<quote>ipa</quote> to change a password stored in an IPA server.  See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -1150,7 +1181,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:815
+#: sssd.conf.5.xml:839
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -1158,7 +1189,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:823
+#: sssd.conf.5.xml:847
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1166,72 +1197,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:831
+#: sssd.conf.5.xml:855
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:835
+#: sssd.conf.5.xml:859
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838
+#: sssd.conf.5.xml:862
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:845
+#: sssd.conf.5.xml:869
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:848
+#: sssd.conf.5.xml:872
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:876
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:855
+#: sssd.conf.5.xml:879
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:858
+#: sssd.conf.5.xml:882
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:861
+#: sssd.conf.5.xml:885
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:864
+#: sssd.conf.5.xml:888
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:867
+#: sssd.conf.5.xml:891
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:873
+#: sssd.conf.5.xml:897
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:876
+#: sssd.conf.5.xml:900
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -1239,34 +1270,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:912
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:891
+#: sssd.conf.5.xml:915
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:919
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:901
+#: sssd.conf.5.xml:925
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:904
+#: sssd.conf.5.xml:928
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:579
+#: sssd.conf.5.xml:599
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -1274,29 +1305,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:940
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:943
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:922
+#: sssd.conf.5.xml:946
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:954
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:933
+#: sssd.conf.5.xml:957
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -1304,19 +1335,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:912
+#: sssd.conf.5.xml:936
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:945
+#: sssd.conf.5.xml:969
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:971
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -1324,73 +1355,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:954
+#: sssd.conf.5.xml:978
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:981
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:985
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:966
+#: sssd.conf.5.xml:990
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:969
+#: sssd.conf.5.xml:993
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974
+#: sssd.conf.5.xml:998
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1003
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1006
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986 sssd.conf.5.xml:998
+#: sssd.conf.5.xml:1010 sssd.conf.5.xml:1022
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:991
+#: sssd.conf.5.xml:1015
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:994
+#: sssd.conf.5.xml:1018
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1003
+#: sssd.conf.5.xml:1027
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1030
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -1398,17 +1429,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014
+#: sssd.conf.5.xml:1038
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1043
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1022
+#: sssd.conf.5.xml:1046
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -1417,17 +1448,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:1056
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1037
+#: sssd.conf.5.xml:1061
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1040
+#: sssd.conf.5.xml:1064
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -1435,17 +1466,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1047
+#: sssd.conf.5.xml:1071
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1076
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1055
+#: sssd.conf.5.xml:1079
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -1453,18 +1484,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1061
+#: sssd.conf.5.xml:1085
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1071 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
-#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:405
+#: sssd.conf.5.xml:1095 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
+#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:408
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:1077
+#: sssd.conf.5.xml:1101
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -1494,7 +1525,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1073
+#: sssd.conf.5.xml:1097
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -1503,7 +1534,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1108
+#: sssd.conf.5.xml:1132
 msgid ""
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
@@ -1603,10 +1634,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:88
 msgid ""
-"Specifies the list of URIs of the LDAP servers to which SSSD should connect "
-"in the order of preference to change the password of a user. Refer to the "
-"<quote>FAILOVER</quote> section for more information on failover and server "
-"redundancy."
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference to change the password of a user. "
+"Refer to the <quote>FAILOVER</quote> section for more information on "
+"failover and server redundancy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -2086,7 +2117,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:519 sssd-ldap.5.xml:990 sssd-ipa.5.xml:115 sssd.8.xml:64
-#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:266
+#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:269
 msgid "Default: false"
 msgstr ""
 
@@ -2527,7 +2558,7 @@ msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:356
+#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:359
 msgid "Default: not set"
 msgstr ""
 
@@ -2668,12 +2699,13 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:1080 sssd-krb5.5.xml:77
 msgid ""
-"Specifies the list of IP addresses or hostnames of the Kerberos servers to "
-"which SSSD should connect in the order of preference. For more information "
-"on failover and server redundancy, see the <quote>FAILOVER</quote> section. "
-"An optional port number (preceded by a colon) may be appended to the "
-"addresses or hostnames.  If empty, service discovery is enabled - for more "
-"information, refer to the <quote>SERVICE DISCOVERY</quote> section."
+"Specifies the comma-separated list of IP addresses or hostnames of the "
+"Kerberos servers to which SSSD should connect in the order of preference. "
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
+"colon) may be appended to the addresses or hostnames.  If empty, service "
+"discovery is enabled - for more information, refer to the <quote>SERVICE "
+"DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -3058,7 +3090,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ldap.5.xml:1407 sssd-simple.5.xml:134 sssd-ipa.5.xml:238
-#: sssd-krb5.5.xml:414
+#: sssd-krb5.5.xml:417
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -3105,7 +3137,8 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
 #: pam_sss.8.xml:24
 msgid ""
-"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>forward_pass</"
+"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
@@ -3113,7 +3146,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:42
+#: pam_sss.8.xml:45
 msgid ""
 "<command>pam_sss.so</command> is the PAM interface to the System Security "
 "Services daemon (SSSD). Errors and results are logged through <command>syslog"
@@ -3121,24 +3154,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:52
+#: pam_sss.8.xml:55
+msgid "<option>quiet</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:58
+msgid "Suppress log messages for unknown users."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:63
 msgid "<option>forward_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:55
+#: pam_sss.8.xml:66
 msgid ""
 "If <option>forward_pass</option> is set the entered password is put on the "
 "stack for other PAM modules to use."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:62
+#: pam_sss.8.xml:73
 msgid "<option>use_first_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:65
+#: pam_sss.8.xml:76
 msgid ""
 "The argument use_first_pass forces the module to use a previous stacked "
 "modules password and will never prompt the user - if no password is "
@@ -3146,31 +3189,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:73
+#: pam_sss.8.xml:84
 msgid "<option>use_authtok</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:76
+#: pam_sss.8.xml:87
 msgid ""
 "When password changing enforce the module to set the new password to the one "
 "provided by a previously stacked password module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:83
+#: pam_sss.8.xml:94
 msgid "<option>retry=N</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:86
+#: pam_sss.8.xml:97
 msgid ""
 "If specified the user is asked another N times for a password if "
 "authentication fails. Default is 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:88
+#: pam_sss.8.xml:99
 msgid ""
 "Please note that this option might not work as expected if the application "
 "calling PAM handles the user dialog on its own. A typical example is "
@@ -3178,24 +3221,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:99
+#: pam_sss.8.xml:110
 msgid "MODULE TYPES PROVIDED"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:100
+#: pam_sss.8.xml:111
 msgid ""
 "All module types (<option>account</option>, <option>auth</option>, "
 "<option>password</option> and <option>session</option>) are provided."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:106
+#: pam_sss.8.xml:117
 msgid "FILES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:107
+#: pam_sss.8.xml:118
 msgid ""
 "If a password reset by root fails, because the corresponding SSSD provider "
 "does not support password resets, an individual message can be displayed. "
@@ -3203,7 +3246,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:112
+#: pam_sss.8.xml:123
 msgid ""
 "The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
 "filename> where LOC stands for a locale string returned by <citerefentry> "
@@ -3215,7 +3258,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:122
+#: pam_sss.8.xml:133
 msgid ""
 "These files are searched in the directory <filename>/etc/sssd/customize/"
 "DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
@@ -3223,7 +3266,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:130
+#: pam_sss.8.xml:141
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>8</"
 "manvolnum> </citerefentry>"
@@ -3483,11 +3526,11 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ipa.5.xml:83
 msgid ""
-"The list of IP addresses or hostnames of the IPA servers to which SSSD "
-"should connect in the order of preference. For more information on failover "
-"and server redundancy, see the <quote>FAILOVER</quote> section.  This is "
-"optional if autodiscovery is enabled.  For more information on service "
-"discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
+"The comma-separated list of IP addresses or hostnames of the IPA servers to "
+"which SSSD should connect in the order of preference. For more information "
+"on failover and server redundancy, see the <quote>FAILOVER</quote> section.  "
+"This is optional if autodiscovery is enabled.  For more information on "
+"service discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
@@ -4303,48 +4346,50 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:262
 msgid ""
-"Please note that this feature currently only available on a Linux platform."
+"Please note that this feature currently only available on a Linux platform. "
+"Passwords stored in this way are kept in plaintext in the kernel keyring and "
+"are potentially accessible by the root user (with difficulty)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:272
+#: sssd-krb5.5.xml:275
 msgid "krb5_renewable_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:275
+#: sssd-krb5.5.xml:278
 msgid ""
 "Request a renewable ticket with a total lifetime given by an integer "
 "immediately followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:280 sssd-krb5.5.xml:316
+#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
 msgid "<emphasis>s</emphasis> seconds"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
+#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
 msgid "<emphasis>m</emphasis> minutes"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
+#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
 msgid "<emphasis>h</emphasis> hours"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
+#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
 msgid "<emphasis>d</emphasis> days."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
+#: sssd-krb5.5.xml:295 sssd-krb5.5.xml:331
 msgid "If there is no delimiter <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:296
+#: sssd-krb5.5.xml:299
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "renewable lifetime to one and a half hours please use '90m' instead of "
@@ -4352,97 +4397,97 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:302
+#: sssd-krb5.5.xml:305
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:308
+#: sssd-krb5.5.xml:311
 msgid "krb5_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:311
+#: sssd-krb5.5.xml:314
 msgid ""
 "Request ticket with a with a lifetime given by an integer immediately "
 "followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:332
+#: sssd-krb5.5.xml:335
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "lifetime to one and a half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:337
+#: sssd-krb5.5.xml:340
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:344
+#: sssd-krb5.5.xml:347
 msgid "krb5_renew_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:347
+#: sssd-krb5.5.xml:350
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:352
+#: sssd-krb5.5.xml:355
 msgid "If this option is not set or 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:362
+#: sssd-krb5.5.xml:365
 msgid "krb5_use_fast (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:365
+#: sssd-krb5.5.xml:368
 msgid ""
 "Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
 "authentication. The following options are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:370
+#: sssd-krb5.5.xml:373
 msgid ""
 "<emphasis>never</emphasis> use FAST, this is equivalent to not set this "
 "option at all."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:374
+#: sssd-krb5.5.xml:377
 msgid ""
 "<emphasis>try</emphasis> to use FAST, if the server does not support fast "
 "continue without."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:378
+#: sssd-krb5.5.xml:381
 msgid ""
 "<emphasis>demand</emphasis> to use FAST, fail if the server does not require "
 "fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:382
+#: sssd-krb5.5.xml:385
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:385
+#: sssd-krb5.5.xml:388
 msgid "Please note that a keytab is required to use fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:388
+#: sssd-krb5.5.xml:391
 msgid ""
 "Please note also that sssd supports fast only with MIT Kerberos version 1.8 "
 "and above. If sssd used used with an older version using this option is a "
@@ -4460,7 +4505,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:407
+#: sssd-krb5.5.xml:410
 msgid ""
 "The following example assumes that SSSD is correctly configured and FOO is "
 "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
@@ -4469,7 +4514,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-krb5.5.xml:415
+#: sssd-krb5.5.xml:418
 #, no-wrap
 msgid ""
 "    [domain/FOO]\n"
@@ -4479,7 +4524,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:426
+#: sssd-krb5.5.xml:429
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
diff --git a/src/man/po/fi.po b/src/man/po/fi.po
index a2ae24c2..5773a1cc 100644
--- a/src/man/po/fi.po
+++ b/src/man/po/fi.po
@@ -6,7 +6,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: SSSD\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2011-08-29 10:42-0300\n"
+"POT-Creation-Date: 2011-10-18 13:34-0300\n"
 "PO-Revision-Date: 2011-08-05 11:39+0000\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Finnish (http://www.transifex.net/projects/p/fedora/team/"
@@ -53,7 +53,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:41
+#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:44
 #: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21
 #: sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_useradd.8.xml:30
 #: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30
@@ -69,7 +69,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:39 pam_sss.8.xml:48 sssd.8.xml:42 sss_obfuscate.8.xml:58
+#: sss_groupmod.8.xml:39 pam_sss.8.xml:51 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
 msgid "OPTIONS"
@@ -105,10 +105,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1106 sssd-ldap.5.xml:1432
-#: pam_sss.8.xml:128 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
+#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1130 sssd-ldap.5.xml:1432
+#: pam_sss.8.xml:139 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
 #: sssd-ipa.5.xml:248 sssd.8.xml:166 sss_obfuscate.8.xml:103
-#: sss_useradd.8.xml:167 sssd-krb5.5.xml:424 sss_groupadd.8.xml:58
+#: sss_useradd.8.xml:167 sssd-krb5.5.xml:427 sss_groupadd.8.xml:58
 #: sss_userdel.8.xml:93 sss_groupdel.8.xml:46 sss_groupshow.8.xml:58
 #: sss_usermod.8.xml:138
 msgid "SEE ALSO"
@@ -214,7 +214,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:70 sssd.conf.5.xml:952
+#: sssd.conf.5.xml:70 sssd.conf.5.xml:976
 msgid "Section parameters"
 msgstr ""
 
@@ -247,19 +247,19 @@ msgid "Supported services: nss, pam"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:93 sssd.conf.5.xml:234
+#: sssd.conf.5.xml:93 sssd.conf.5.xml:254
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:96 sssd.conf.5.xml:237
+#: sssd.conf.5.xml:96 sssd.conf.5.xml:257
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:101 sssd.conf.5.xml:242
+#: sssd.conf.5.xml:101 sssd.conf.5.xml:262
 msgid "Default: 3"
 msgstr ""
 
@@ -366,6 +366,32 @@ msgid ""
 "unavailable. On these platforms, polling will always be used."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:189
+msgid "krb5_rcache_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:192
+msgid ""
+"Directory on the filesystem where SSSD should store Kerberos replay cache "
+"files."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:196
+msgid ""
+"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
+"SSSD to let libkrb5 decide the appropriate location for the replay cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:202
+msgid ""
+"Default: Distribution-specific and specified at build-time. "
+"(__LIBKRB5_DEFAULTS__ if not configured)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:63
 msgid ""
@@ -378,12 +404,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:195
+#: sssd.conf.5.xml:215
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:197
+#: sssd.conf.5.xml:217
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -392,55 +418,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:204
+#: sssd.conf.5.xml:224
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:206
+#: sssd.conf.5.xml:226
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:210
+#: sssd.conf.5.xml:230
 msgid "debug_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:213
+#: sssd.conf.5.xml:233
 msgid ""
 "Sets the debug level for the service. The value can be in range from 0 (only "
 "critical messages) to 10 (very verbose)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:218 sssd.conf.5.xml:312
+#: sssd.conf.5.xml:238 sssd.conf.5.xml:332
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:223 sssd.8.xml:58
+#: sssd.conf.5.xml:243 sssd.8.xml:58
 msgid "debug_timestamps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:226 sssd.8.xml:61
+#: sssd.conf.5.xml:246 sssd.8.xml:61
 msgid "Add a timestamp to the debug messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:229 sssd.conf.5.xml:353 sssd-ldap.5.xml:1058
+#: sssd.conf.5.xml:249 sssd.conf.5.xml:373 sssd-ldap.5.xml:1058
 #: sssd-ldap.5.xml:1163 sssd-ipa.5.xml:155
 msgid "Default: true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:247
+#: sssd.conf.5.xml:267
 msgid "command (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:250
+#: sssd.conf.5.xml:270
 msgid ""
 "By default, the executable representing this service is called <command>sssd_"
 "${service_name}</command>.  This directive allows to change the executable "
@@ -449,45 +475,45 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:258
+#: sssd.conf.5.xml:278
 msgid "Default: <command>sssd_${service_name}</command>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:266
+#: sssd.conf.5.xml:286
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:268
+#: sssd.conf.5.xml:288
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:273
+#: sssd.conf.5.xml:293
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:276
+#: sssd.conf.5.xml:296
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:280
+#: sssd.conf.5.xml:300
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:285
+#: sssd.conf.5.xml:305
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:288
+#: sssd.conf.5.xml:308
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -495,7 +521,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:294
+#: sssd.conf.5.xml:314
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -505,7 +531,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304
+#: sssd.conf.5.xml:324
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -514,12 +540,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:317
+#: sssd.conf.5.xml:337
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:320
+#: sssd.conf.5.xml:340
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -527,17 +553,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:326 sssd-krb5.5.xml:223
+#: sssd.conf.5.xml:346 sssd-krb5.5.xml:223
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:331
+#: sssd.conf.5.xml:351
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:334
+#: sssd.conf.5.xml:354
 msgid ""
 "Exclude certain users from being fetched from the sss NSS database. This is "
 "particularly useful for system accounts. This option can also be set per-"
@@ -546,78 +572,78 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:341
+#: sssd.conf.5.xml:361
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:346
+#: sssd.conf.5.xml:366
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:369
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:358
+#: sssd.conf.5.xml:378
 msgid "override_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:367 sssd-krb5.5.xml:166
+#: sssd.conf.5.xml:387 sssd-krb5.5.xml:166
 msgid "%u"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:368 sssd-krb5.5.xml:167
+#: sssd.conf.5.xml:388 sssd-krb5.5.xml:167
 msgid "login name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:371 sssd-krb5.5.xml:170
+#: sssd.conf.5.xml:391 sssd-krb5.5.xml:170
 msgid "%U"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:392
 msgid "UID number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:375 sssd-krb5.5.xml:188
+#: sssd.conf.5.xml:395 sssd-krb5.5.xml:188
 msgid "%d"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:376
+#: sssd.conf.5.xml:396
 msgid "domain name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:379
+#: sssd.conf.5.xml:399
 msgid "%f"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:380
+#: sssd.conf.5.xml:400
 msgid "fully qualified user name (user@domain)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:383 sssd-krb5.5.xml:200
+#: sssd.conf.5.xml:403 sssd-krb5.5.xml:200
 msgid "%%"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:384 sssd-krb5.5.xml:201
+#: sssd.conf.5.xml:404 sssd-krb5.5.xml:201
 msgid "a literal '%'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:361
+#: sssd.conf.5.xml:381
 msgid ""
 "Override the user's home directory. You can either provide an absolute value "
 "or a template. In the template, the following sequences are substituted: "
@@ -625,138 +651,138 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:390
+#: sssd.conf.5.xml:410
 msgid "This option can also be set per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:395
+#: sssd.conf.5.xml:415
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:398
+#: sssd.conf.5.xml:418
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:401
+#: sssd.conf.5.xml:421
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:405
+#: sssd.conf.5.xml:425
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:410
+#: sssd.conf.5.xml:430
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:415
+#: sssd.conf.5.xml:435
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:418
+#: sssd.conf.5.xml:438
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:422
+#: sssd.conf.5.xml:442
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:427
+#: sssd.conf.5.xml:447
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:430
+#: sssd.conf.5.xml:450
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:435
+#: sssd.conf.5.xml:455
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:438
+#: sssd.conf.5.xml:458
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:442
+#: sssd.conf.5.xml:462
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:469
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:451
+#: sssd.conf.5.xml:471
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:456
+#: sssd.conf.5.xml:476
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:459
+#: sssd.conf.5.xml:479
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:464 sssd.conf.5.xml:477
+#: sssd.conf.5.xml:484 sssd.conf.5.xml:497
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:490
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:473
+#: sssd.conf.5.xml:493
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:483
+#: sssd.conf.5.xml:503
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:506
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:491
+#: sssd.conf.5.xml:511
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -764,59 +790,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:497 sssd.conf.5.xml:550 sssd.conf.5.xml:882
+#: sssd.conf.5.xml:517 sssd.conf.5.xml:570 sssd.conf.5.xml:906
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:523
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:506
+#: sssd.conf.5.xml:526
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:511
+#: sssd.conf.5.xml:531
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:514
+#: sssd.conf.5.xml:534
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:517
+#: sssd.conf.5.xml:537
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:541
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:524
+#: sssd.conf.5.xml:544
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:528
+#: sssd.conf.5.xml:548
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:533
+#: sssd.conf.5.xml:553
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:536
+#: sssd.conf.5.xml:556
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -824,7 +850,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:542
+#: sssd.conf.5.xml:562
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -833,17 +859,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:556
+#: sssd.conf.5.xml:576
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:559
+#: sssd.conf.5.xml:579
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:562
+#: sssd.conf.5.xml:582
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -851,29 +877,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:588
 msgid "Default: 7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:577
+#: sssd.conf.5.xml:597
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:584
+#: sssd.conf.5.xml:604
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:587
+#: sssd.conf.5.xml:607
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:592
+#: sssd.conf.5.xml:612
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -882,56 +908,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:599
+#: sssd.conf.5.xml:619
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:625
 msgid "timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:608
+#: sssd.conf.5.xml:628
 msgid ""
 "Timeout in seconds between heartbeats for this domain.  This is used to "
 "ensure that the backend process is alive and capable of answering requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:633
 msgid "Default: 10"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:639
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:642
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:626
+#: sssd.conf.5.xml:646
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:629
+#: sssd.conf.5.xml:649
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:632 sssd.conf.5.xml:680 sssd.conf.5.xml:734
+#: sssd.conf.5.xml:652 sssd.conf.5.xml:704 sssd.conf.5.xml:758
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:635
+#: sssd.conf.5.xml:655
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -941,14 +967,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:645
+#: sssd.conf.5.xml:665
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:650
+#: sssd.conf.5.xml:670
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -957,39 +983,44 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:661
+#: sssd.conf.5.xml:681
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:664
+#: sssd.conf.5.xml:684
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:688
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:693
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676
+#: sssd.conf.5.xml:696
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:700
+msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:685
+#: sssd.conf.5.xml:709
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:688
+#: sssd.conf.5.xml:712
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -998,47 +1029,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:695
+#: sssd.conf.5.xml:719
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:725
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:728
 msgid "The Data Provider identity backend to use for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:708
+#: sssd.conf.5.xml:732
 msgid "Supported backends:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:711
+#: sssd.conf.5.xml:735
 msgid "proxy: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:714
+#: sssd.conf.5.xml:738
 msgid "local: SSSD internal local provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:717
+#: sssd.conf.5.xml:741
 msgid "ldap: LDAP provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:747
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:750
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -1047,19 +1078,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:739
+#: sssd.conf.5.xml:763
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:766
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:746
+#: sssd.conf.5.xml:770
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1067,7 +1098,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:777
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1075,30 +1106,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:784
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:787
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:766
+#: sssd.conf.5.xml:790
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:796
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:775
+#: sssd.conf.5.xml:799
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -1106,17 +1137,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:781
+#: sssd.conf.5.xml:805
 msgid "<quote>permit</quote> always allow access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:784
+#: sssd.conf.5.xml:808
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:811
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -1125,24 +1156,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:818
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:823
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:826
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:831
 msgid ""
 "<quote>ipa</quote> to change a password stored in an IPA server.  See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -1150,7 +1181,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:815
+#: sssd.conf.5.xml:839
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -1158,7 +1189,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:823
+#: sssd.conf.5.xml:847
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1166,72 +1197,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:831
+#: sssd.conf.5.xml:855
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:835
+#: sssd.conf.5.xml:859
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838
+#: sssd.conf.5.xml:862
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:845
+#: sssd.conf.5.xml:869
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:848
+#: sssd.conf.5.xml:872
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:876
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:855
+#: sssd.conf.5.xml:879
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:858
+#: sssd.conf.5.xml:882
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:861
+#: sssd.conf.5.xml:885
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:864
+#: sssd.conf.5.xml:888
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:867
+#: sssd.conf.5.xml:891
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:873
+#: sssd.conf.5.xml:897
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:876
+#: sssd.conf.5.xml:900
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -1239,34 +1270,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:912
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:891
+#: sssd.conf.5.xml:915
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:919
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:901
+#: sssd.conf.5.xml:925
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:904
+#: sssd.conf.5.xml:928
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:579
+#: sssd.conf.5.xml:599
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -1274,29 +1305,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:940
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:943
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:922
+#: sssd.conf.5.xml:946
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:954
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:933
+#: sssd.conf.5.xml:957
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -1304,19 +1335,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:912
+#: sssd.conf.5.xml:936
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:945
+#: sssd.conf.5.xml:969
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:971
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -1324,73 +1355,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:954
+#: sssd.conf.5.xml:978
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:981
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:985
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:966
+#: sssd.conf.5.xml:990
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:969
+#: sssd.conf.5.xml:993
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974
+#: sssd.conf.5.xml:998
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1003
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1006
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986 sssd.conf.5.xml:998
+#: sssd.conf.5.xml:1010 sssd.conf.5.xml:1022
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:991
+#: sssd.conf.5.xml:1015
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:994
+#: sssd.conf.5.xml:1018
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1003
+#: sssd.conf.5.xml:1027
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1030
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -1398,17 +1429,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014
+#: sssd.conf.5.xml:1038
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1043
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1022
+#: sssd.conf.5.xml:1046
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -1417,17 +1448,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:1056
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1037
+#: sssd.conf.5.xml:1061
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1040
+#: sssd.conf.5.xml:1064
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -1435,17 +1466,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1047
+#: sssd.conf.5.xml:1071
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1076
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1055
+#: sssd.conf.5.xml:1079
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -1453,18 +1484,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1061
+#: sssd.conf.5.xml:1085
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1071 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
-#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:405
+#: sssd.conf.5.xml:1095 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
+#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:408
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:1077
+#: sssd.conf.5.xml:1101
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -1494,7 +1525,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1073
+#: sssd.conf.5.xml:1097
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -1503,7 +1534,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1108
+#: sssd.conf.5.xml:1132
 msgid ""
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
@@ -1603,10 +1634,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:88
 msgid ""
-"Specifies the list of URIs of the LDAP servers to which SSSD should connect "
-"in the order of preference to change the password of a user. Refer to the "
-"<quote>FAILOVER</quote> section for more information on failover and server "
-"redundancy."
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference to change the password of a user. "
+"Refer to the <quote>FAILOVER</quote> section for more information on "
+"failover and server redundancy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -2086,7 +2117,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:519 sssd-ldap.5.xml:990 sssd-ipa.5.xml:115 sssd.8.xml:64
-#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:266
+#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:269
 msgid "Default: false"
 msgstr ""
 
@@ -2527,7 +2558,7 @@ msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:356
+#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:359
 msgid "Default: not set"
 msgstr ""
 
@@ -2668,12 +2699,13 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:1080 sssd-krb5.5.xml:77
 msgid ""
-"Specifies the list of IP addresses or hostnames of the Kerberos servers to "
-"which SSSD should connect in the order of preference. For more information "
-"on failover and server redundancy, see the <quote>FAILOVER</quote> section. "
-"An optional port number (preceded by a colon) may be appended to the "
-"addresses or hostnames.  If empty, service discovery is enabled - for more "
-"information, refer to the <quote>SERVICE DISCOVERY</quote> section."
+"Specifies the comma-separated list of IP addresses or hostnames of the "
+"Kerberos servers to which SSSD should connect in the order of preference. "
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
+"colon) may be appended to the addresses or hostnames.  If empty, service "
+"discovery is enabled - for more information, refer to the <quote>SERVICE "
+"DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -3058,7 +3090,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ldap.5.xml:1407 sssd-simple.5.xml:134 sssd-ipa.5.xml:238
-#: sssd-krb5.5.xml:414
+#: sssd-krb5.5.xml:417
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -3105,7 +3137,8 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
 #: pam_sss.8.xml:24
 msgid ""
-"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>forward_pass</"
+"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
@@ -3113,7 +3146,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:42
+#: pam_sss.8.xml:45
 msgid ""
 "<command>pam_sss.so</command> is the PAM interface to the System Security "
 "Services daemon (SSSD). Errors and results are logged through <command>syslog"
@@ -3121,24 +3154,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:52
+#: pam_sss.8.xml:55
+msgid "<option>quiet</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:58
+msgid "Suppress log messages for unknown users."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:63
 msgid "<option>forward_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:55
+#: pam_sss.8.xml:66
 msgid ""
 "If <option>forward_pass</option> is set the entered password is put on the "
 "stack for other PAM modules to use."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:62
+#: pam_sss.8.xml:73
 msgid "<option>use_first_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:65
+#: pam_sss.8.xml:76
 msgid ""
 "The argument use_first_pass forces the module to use a previous stacked "
 "modules password and will never prompt the user - if no password is "
@@ -3146,31 +3189,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:73
+#: pam_sss.8.xml:84
 msgid "<option>use_authtok</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:76
+#: pam_sss.8.xml:87
 msgid ""
 "When password changing enforce the module to set the new password to the one "
 "provided by a previously stacked password module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:83
+#: pam_sss.8.xml:94
 msgid "<option>retry=N</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:86
+#: pam_sss.8.xml:97
 msgid ""
 "If specified the user is asked another N times for a password if "
 "authentication fails. Default is 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:88
+#: pam_sss.8.xml:99
 msgid ""
 "Please note that this option might not work as expected if the application "
 "calling PAM handles the user dialog on its own. A typical example is "
@@ -3178,24 +3221,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:99
+#: pam_sss.8.xml:110
 msgid "MODULE TYPES PROVIDED"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:100
+#: pam_sss.8.xml:111
 msgid ""
 "All module types (<option>account</option>, <option>auth</option>, "
 "<option>password</option> and <option>session</option>) are provided."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:106
+#: pam_sss.8.xml:117
 msgid "FILES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:107
+#: pam_sss.8.xml:118
 msgid ""
 "If a password reset by root fails, because the corresponding SSSD provider "
 "does not support password resets, an individual message can be displayed. "
@@ -3203,7 +3246,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:112
+#: pam_sss.8.xml:123
 msgid ""
 "The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
 "filename> where LOC stands for a locale string returned by <citerefentry> "
@@ -3215,7 +3258,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:122
+#: pam_sss.8.xml:133
 msgid ""
 "These files are searched in the directory <filename>/etc/sssd/customize/"
 "DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
@@ -3223,7 +3266,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:130
+#: pam_sss.8.xml:141
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>8</"
 "manvolnum> </citerefentry>"
@@ -3483,11 +3526,11 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ipa.5.xml:83
 msgid ""
-"The list of IP addresses or hostnames of the IPA servers to which SSSD "
-"should connect in the order of preference. For more information on failover "
-"and server redundancy, see the <quote>FAILOVER</quote> section.  This is "
-"optional if autodiscovery is enabled.  For more information on service "
-"discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
+"The comma-separated list of IP addresses or hostnames of the IPA servers to "
+"which SSSD should connect in the order of preference. For more information "
+"on failover and server redundancy, see the <quote>FAILOVER</quote> section.  "
+"This is optional if autodiscovery is enabled.  For more information on "
+"service discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
@@ -4303,48 +4346,50 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:262
 msgid ""
-"Please note that this feature currently only available on a Linux platform."
+"Please note that this feature currently only available on a Linux platform. "
+"Passwords stored in this way are kept in plaintext in the kernel keyring and "
+"are potentially accessible by the root user (with difficulty)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:272
+#: sssd-krb5.5.xml:275
 msgid "krb5_renewable_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:275
+#: sssd-krb5.5.xml:278
 msgid ""
 "Request a renewable ticket with a total lifetime given by an integer "
 "immediately followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:280 sssd-krb5.5.xml:316
+#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
 msgid "<emphasis>s</emphasis> seconds"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
+#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
 msgid "<emphasis>m</emphasis> minutes"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
+#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
 msgid "<emphasis>h</emphasis> hours"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
+#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
 msgid "<emphasis>d</emphasis> days."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
+#: sssd-krb5.5.xml:295 sssd-krb5.5.xml:331
 msgid "If there is no delimiter <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:296
+#: sssd-krb5.5.xml:299
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "renewable lifetime to one and a half hours please use '90m' instead of "
@@ -4352,97 +4397,97 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:302
+#: sssd-krb5.5.xml:305
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:308
+#: sssd-krb5.5.xml:311
 msgid "krb5_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:311
+#: sssd-krb5.5.xml:314
 msgid ""
 "Request ticket with a with a lifetime given by an integer immediately "
 "followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:332
+#: sssd-krb5.5.xml:335
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "lifetime to one and a half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:337
+#: sssd-krb5.5.xml:340
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:344
+#: sssd-krb5.5.xml:347
 msgid "krb5_renew_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:347
+#: sssd-krb5.5.xml:350
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:352
+#: sssd-krb5.5.xml:355
 msgid "If this option is not set or 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:362
+#: sssd-krb5.5.xml:365
 msgid "krb5_use_fast (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:365
+#: sssd-krb5.5.xml:368
 msgid ""
 "Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
 "authentication. The following options are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:370
+#: sssd-krb5.5.xml:373
 msgid ""
 "<emphasis>never</emphasis> use FAST, this is equivalent to not set this "
 "option at all."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:374
+#: sssd-krb5.5.xml:377
 msgid ""
 "<emphasis>try</emphasis> to use FAST, if the server does not support fast "
 "continue without."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:378
+#: sssd-krb5.5.xml:381
 msgid ""
 "<emphasis>demand</emphasis> to use FAST, fail if the server does not require "
 "fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:382
+#: sssd-krb5.5.xml:385
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:385
+#: sssd-krb5.5.xml:388
 msgid "Please note that a keytab is required to use fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:388
+#: sssd-krb5.5.xml:391
 msgid ""
 "Please note also that sssd supports fast only with MIT Kerberos version 1.8 "
 "and above. If sssd used used with an older version using this option is a "
@@ -4460,7 +4505,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:407
+#: sssd-krb5.5.xml:410
 msgid ""
 "The following example assumes that SSSD is correctly configured and FOO is "
 "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
@@ -4469,7 +4514,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-krb5.5.xml:415
+#: sssd-krb5.5.xml:418
 #, no-wrap
 msgid ""
 "    [domain/FOO]\n"
@@ -4479,7 +4524,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:426
+#: sssd-krb5.5.xml:429
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
diff --git a/src/man/po/fr.po b/src/man/po/fr.po
index 000d4737..e930bf0f 100644
--- a/src/man/po/fr.po
+++ b/src/man/po/fr.po
@@ -6,7 +6,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: SSSD\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2011-08-29 10:42-0300\n"
+"POT-Creation-Date: 2011-10-18 13:34-0300\n"
 "PO-Revision-Date: 2011-08-05 11:39+0000\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: French <trans-fr@lists.fedoraproject.org>\n"
@@ -52,7 +52,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:41
+#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:44
 #: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21
 #: sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_useradd.8.xml:30
 #: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30
@@ -68,7 +68,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:39 pam_sss.8.xml:48 sssd.8.xml:42 sss_obfuscate.8.xml:58
+#: sss_groupmod.8.xml:39 pam_sss.8.xml:51 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
 msgid "OPTIONS"
@@ -104,10 +104,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1106 sssd-ldap.5.xml:1432
-#: pam_sss.8.xml:128 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
+#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1130 sssd-ldap.5.xml:1432
+#: pam_sss.8.xml:139 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
 #: sssd-ipa.5.xml:248 sssd.8.xml:166 sss_obfuscate.8.xml:103
-#: sss_useradd.8.xml:167 sssd-krb5.5.xml:424 sss_groupadd.8.xml:58
+#: sss_useradd.8.xml:167 sssd-krb5.5.xml:427 sss_groupadd.8.xml:58
 #: sss_userdel.8.xml:93 sss_groupdel.8.xml:46 sss_groupshow.8.xml:58
 #: sss_usermod.8.xml:138
 msgid "SEE ALSO"
@@ -213,7 +213,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:70 sssd.conf.5.xml:952
+#: sssd.conf.5.xml:70 sssd.conf.5.xml:976
 msgid "Section parameters"
 msgstr ""
 
@@ -246,19 +246,19 @@ msgid "Supported services: nss, pam"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:93 sssd.conf.5.xml:234
+#: sssd.conf.5.xml:93 sssd.conf.5.xml:254
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:96 sssd.conf.5.xml:237
+#: sssd.conf.5.xml:96 sssd.conf.5.xml:257
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:101 sssd.conf.5.xml:242
+#: sssd.conf.5.xml:101 sssd.conf.5.xml:262
 msgid "Default: 3"
 msgstr ""
 
@@ -365,6 +365,32 @@ msgid ""
 "unavailable. On these platforms, polling will always be used."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:189
+msgid "krb5_rcache_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:192
+msgid ""
+"Directory on the filesystem where SSSD should store Kerberos replay cache "
+"files."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:196
+msgid ""
+"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
+"SSSD to let libkrb5 decide the appropriate location for the replay cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:202
+msgid ""
+"Default: Distribution-specific and specified at build-time. "
+"(__LIBKRB5_DEFAULTS__ if not configured)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:63
 msgid ""
@@ -377,12 +403,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:195
+#: sssd.conf.5.xml:215
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:197
+#: sssd.conf.5.xml:217
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -391,55 +417,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:204
+#: sssd.conf.5.xml:224
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:206
+#: sssd.conf.5.xml:226
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:210
+#: sssd.conf.5.xml:230
 msgid "debug_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:213
+#: sssd.conf.5.xml:233
 msgid ""
 "Sets the debug level for the service. The value can be in range from 0 (only "
 "critical messages) to 10 (very verbose)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:218 sssd.conf.5.xml:312
+#: sssd.conf.5.xml:238 sssd.conf.5.xml:332
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:223 sssd.8.xml:58
+#: sssd.conf.5.xml:243 sssd.8.xml:58
 msgid "debug_timestamps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:226 sssd.8.xml:61
+#: sssd.conf.5.xml:246 sssd.8.xml:61
 msgid "Add a timestamp to the debug messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:229 sssd.conf.5.xml:353 sssd-ldap.5.xml:1058
+#: sssd.conf.5.xml:249 sssd.conf.5.xml:373 sssd-ldap.5.xml:1058
 #: sssd-ldap.5.xml:1163 sssd-ipa.5.xml:155
 msgid "Default: true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:247
+#: sssd.conf.5.xml:267
 msgid "command (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:250
+#: sssd.conf.5.xml:270
 msgid ""
 "By default, the executable representing this service is called <command>sssd_"
 "${service_name}</command>.  This directive allows to change the executable "
@@ -448,45 +474,45 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:258
+#: sssd.conf.5.xml:278
 msgid "Default: <command>sssd_${service_name}</command>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:266
+#: sssd.conf.5.xml:286
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:268
+#: sssd.conf.5.xml:288
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:273
+#: sssd.conf.5.xml:293
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:276
+#: sssd.conf.5.xml:296
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:280
+#: sssd.conf.5.xml:300
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:285
+#: sssd.conf.5.xml:305
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:288
+#: sssd.conf.5.xml:308
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -494,7 +520,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:294
+#: sssd.conf.5.xml:314
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -504,7 +530,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304
+#: sssd.conf.5.xml:324
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -513,12 +539,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:317
+#: sssd.conf.5.xml:337
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:320
+#: sssd.conf.5.xml:340
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -526,17 +552,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:326 sssd-krb5.5.xml:223
+#: sssd.conf.5.xml:346 sssd-krb5.5.xml:223
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:331
+#: sssd.conf.5.xml:351
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:334
+#: sssd.conf.5.xml:354
 msgid ""
 "Exclude certain users from being fetched from the sss NSS database. This is "
 "particularly useful for system accounts. This option can also be set per-"
@@ -545,78 +571,78 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:341
+#: sssd.conf.5.xml:361
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:346
+#: sssd.conf.5.xml:366
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:369
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:358
+#: sssd.conf.5.xml:378
 msgid "override_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:367 sssd-krb5.5.xml:166
+#: sssd.conf.5.xml:387 sssd-krb5.5.xml:166
 msgid "%u"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:368 sssd-krb5.5.xml:167
+#: sssd.conf.5.xml:388 sssd-krb5.5.xml:167
 msgid "login name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:371 sssd-krb5.5.xml:170
+#: sssd.conf.5.xml:391 sssd-krb5.5.xml:170
 msgid "%U"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:392
 msgid "UID number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:375 sssd-krb5.5.xml:188
+#: sssd.conf.5.xml:395 sssd-krb5.5.xml:188
 msgid "%d"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:376
+#: sssd.conf.5.xml:396
 msgid "domain name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:379
+#: sssd.conf.5.xml:399
 msgid "%f"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:380
+#: sssd.conf.5.xml:400
 msgid "fully qualified user name (user@domain)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:383 sssd-krb5.5.xml:200
+#: sssd.conf.5.xml:403 sssd-krb5.5.xml:200
 msgid "%%"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:384 sssd-krb5.5.xml:201
+#: sssd.conf.5.xml:404 sssd-krb5.5.xml:201
 msgid "a literal '%'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:361
+#: sssd.conf.5.xml:381
 msgid ""
 "Override the user's home directory. You can either provide an absolute value "
 "or a template. In the template, the following sequences are substituted: "
@@ -624,138 +650,138 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:390
+#: sssd.conf.5.xml:410
 msgid "This option can also be set per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:395
+#: sssd.conf.5.xml:415
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:398
+#: sssd.conf.5.xml:418
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:401
+#: sssd.conf.5.xml:421
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:405
+#: sssd.conf.5.xml:425
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:410
+#: sssd.conf.5.xml:430
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:415
+#: sssd.conf.5.xml:435
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:418
+#: sssd.conf.5.xml:438
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:422
+#: sssd.conf.5.xml:442
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:427
+#: sssd.conf.5.xml:447
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:430
+#: sssd.conf.5.xml:450
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:435
+#: sssd.conf.5.xml:455
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:438
+#: sssd.conf.5.xml:458
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:442
+#: sssd.conf.5.xml:462
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:469
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:451
+#: sssd.conf.5.xml:471
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:456
+#: sssd.conf.5.xml:476
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:459
+#: sssd.conf.5.xml:479
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:464 sssd.conf.5.xml:477
+#: sssd.conf.5.xml:484 sssd.conf.5.xml:497
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:490
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:473
+#: sssd.conf.5.xml:493
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:483
+#: sssd.conf.5.xml:503
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:506
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:491
+#: sssd.conf.5.xml:511
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -763,59 +789,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:497 sssd.conf.5.xml:550 sssd.conf.5.xml:882
+#: sssd.conf.5.xml:517 sssd.conf.5.xml:570 sssd.conf.5.xml:906
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:523
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:506
+#: sssd.conf.5.xml:526
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:511
+#: sssd.conf.5.xml:531
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:514
+#: sssd.conf.5.xml:534
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:517
+#: sssd.conf.5.xml:537
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:541
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:524
+#: sssd.conf.5.xml:544
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:528
+#: sssd.conf.5.xml:548
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:533
+#: sssd.conf.5.xml:553
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:536
+#: sssd.conf.5.xml:556
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -823,7 +849,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:542
+#: sssd.conf.5.xml:562
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -832,17 +858,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:556
+#: sssd.conf.5.xml:576
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:559
+#: sssd.conf.5.xml:579
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:562
+#: sssd.conf.5.xml:582
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -850,29 +876,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:588
 msgid "Default: 7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:577
+#: sssd.conf.5.xml:597
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:584
+#: sssd.conf.5.xml:604
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:587
+#: sssd.conf.5.xml:607
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:592
+#: sssd.conf.5.xml:612
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -881,56 +907,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:599
+#: sssd.conf.5.xml:619
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:625
 msgid "timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:608
+#: sssd.conf.5.xml:628
 msgid ""
 "Timeout in seconds between heartbeats for this domain.  This is used to "
 "ensure that the backend process is alive and capable of answering requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:633
 msgid "Default: 10"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:639
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:642
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:626
+#: sssd.conf.5.xml:646
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:629
+#: sssd.conf.5.xml:649
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:632 sssd.conf.5.xml:680 sssd.conf.5.xml:734
+#: sssd.conf.5.xml:652 sssd.conf.5.xml:704 sssd.conf.5.xml:758
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:635
+#: sssd.conf.5.xml:655
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -940,14 +966,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:645
+#: sssd.conf.5.xml:665
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:650
+#: sssd.conf.5.xml:670
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -956,39 +982,44 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:661
+#: sssd.conf.5.xml:681
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:664
+#: sssd.conf.5.xml:684
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:688
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:693
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676
+#: sssd.conf.5.xml:696
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:700
+msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:685
+#: sssd.conf.5.xml:709
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:688
+#: sssd.conf.5.xml:712
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -997,47 +1028,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:695
+#: sssd.conf.5.xml:719
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:725
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:728
 msgid "The Data Provider identity backend to use for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:708
+#: sssd.conf.5.xml:732
 msgid "Supported backends:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:711
+#: sssd.conf.5.xml:735
 msgid "proxy: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:714
+#: sssd.conf.5.xml:738
 msgid "local: SSSD internal local provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:717
+#: sssd.conf.5.xml:741
 msgid "ldap: LDAP provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:747
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:750
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -1046,19 +1077,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:739
+#: sssd.conf.5.xml:763
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:766
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:746
+#: sssd.conf.5.xml:770
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1066,7 +1097,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:777
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1074,30 +1105,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:784
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:787
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:766
+#: sssd.conf.5.xml:790
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:796
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:775
+#: sssd.conf.5.xml:799
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -1105,17 +1136,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:781
+#: sssd.conf.5.xml:805
 msgid "<quote>permit</quote> always allow access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:784
+#: sssd.conf.5.xml:808
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:811
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -1124,24 +1155,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:818
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:823
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:826
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:831
 msgid ""
 "<quote>ipa</quote> to change a password stored in an IPA server.  See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -1149,7 +1180,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:815
+#: sssd.conf.5.xml:839
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -1157,7 +1188,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:823
+#: sssd.conf.5.xml:847
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1165,72 +1196,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:831
+#: sssd.conf.5.xml:855
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:835
+#: sssd.conf.5.xml:859
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838
+#: sssd.conf.5.xml:862
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:845
+#: sssd.conf.5.xml:869
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:848
+#: sssd.conf.5.xml:872
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:876
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:855
+#: sssd.conf.5.xml:879
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:858
+#: sssd.conf.5.xml:882
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:861
+#: sssd.conf.5.xml:885
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:864
+#: sssd.conf.5.xml:888
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:867
+#: sssd.conf.5.xml:891
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:873
+#: sssd.conf.5.xml:897
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:876
+#: sssd.conf.5.xml:900
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -1238,34 +1269,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:912
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:891
+#: sssd.conf.5.xml:915
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:919
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:901
+#: sssd.conf.5.xml:925
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:904
+#: sssd.conf.5.xml:928
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:579
+#: sssd.conf.5.xml:599
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -1273,29 +1304,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:940
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:943
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:922
+#: sssd.conf.5.xml:946
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:954
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:933
+#: sssd.conf.5.xml:957
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -1303,19 +1334,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:912
+#: sssd.conf.5.xml:936
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:945
+#: sssd.conf.5.xml:969
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:971
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -1323,73 +1354,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:954
+#: sssd.conf.5.xml:978
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:981
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:985
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:966
+#: sssd.conf.5.xml:990
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:969
+#: sssd.conf.5.xml:993
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974
+#: sssd.conf.5.xml:998
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1003
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1006
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986 sssd.conf.5.xml:998
+#: sssd.conf.5.xml:1010 sssd.conf.5.xml:1022
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:991
+#: sssd.conf.5.xml:1015
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:994
+#: sssd.conf.5.xml:1018
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1003
+#: sssd.conf.5.xml:1027
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1030
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -1397,17 +1428,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014
+#: sssd.conf.5.xml:1038
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1043
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1022
+#: sssd.conf.5.xml:1046
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -1416,17 +1447,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:1056
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1037
+#: sssd.conf.5.xml:1061
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1040
+#: sssd.conf.5.xml:1064
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -1434,17 +1465,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1047
+#: sssd.conf.5.xml:1071
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1076
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1055
+#: sssd.conf.5.xml:1079
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -1452,18 +1483,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1061
+#: sssd.conf.5.xml:1085
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1071 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
-#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:405
+#: sssd.conf.5.xml:1095 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
+#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:408
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:1077
+#: sssd.conf.5.xml:1101
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -1493,7 +1524,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1073
+#: sssd.conf.5.xml:1097
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -1502,7 +1533,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1108
+#: sssd.conf.5.xml:1132
 msgid ""
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
@@ -1602,10 +1633,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:88
 msgid ""
-"Specifies the list of URIs of the LDAP servers to which SSSD should connect "
-"in the order of preference to change the password of a user. Refer to the "
-"<quote>FAILOVER</quote> section for more information on failover and server "
-"redundancy."
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference to change the password of a user. "
+"Refer to the <quote>FAILOVER</quote> section for more information on "
+"failover and server redundancy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -2085,7 +2116,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:519 sssd-ldap.5.xml:990 sssd-ipa.5.xml:115 sssd.8.xml:64
-#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:266
+#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:269
 msgid "Default: false"
 msgstr ""
 
@@ -2526,7 +2557,7 @@ msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:356
+#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:359
 msgid "Default: not set"
 msgstr ""
 
@@ -2667,12 +2698,13 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:1080 sssd-krb5.5.xml:77
 msgid ""
-"Specifies the list of IP addresses or hostnames of the Kerberos servers to "
-"which SSSD should connect in the order of preference. For more information "
-"on failover and server redundancy, see the <quote>FAILOVER</quote> section. "
-"An optional port number (preceded by a colon) may be appended to the "
-"addresses or hostnames.  If empty, service discovery is enabled - for more "
-"information, refer to the <quote>SERVICE DISCOVERY</quote> section."
+"Specifies the comma-separated list of IP addresses or hostnames of the "
+"Kerberos servers to which SSSD should connect in the order of preference. "
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
+"colon) may be appended to the addresses or hostnames.  If empty, service "
+"discovery is enabled - for more information, refer to the <quote>SERVICE "
+"DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -3057,7 +3089,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ldap.5.xml:1407 sssd-simple.5.xml:134 sssd-ipa.5.xml:238
-#: sssd-krb5.5.xml:414
+#: sssd-krb5.5.xml:417
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -3104,7 +3136,8 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
 #: pam_sss.8.xml:24
 msgid ""
-"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>forward_pass</"
+"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
@@ -3112,7 +3145,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:42
+#: pam_sss.8.xml:45
 msgid ""
 "<command>pam_sss.so</command> is the PAM interface to the System Security "
 "Services daemon (SSSD). Errors and results are logged through <command>syslog"
@@ -3120,24 +3153,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:52
+#: pam_sss.8.xml:55
+msgid "<option>quiet</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:58
+msgid "Suppress log messages for unknown users."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:63
 msgid "<option>forward_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:55
+#: pam_sss.8.xml:66
 msgid ""
 "If <option>forward_pass</option> is set the entered password is put on the "
 "stack for other PAM modules to use."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:62
+#: pam_sss.8.xml:73
 msgid "<option>use_first_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:65
+#: pam_sss.8.xml:76
 msgid ""
 "The argument use_first_pass forces the module to use a previous stacked "
 "modules password and will never prompt the user - if no password is "
@@ -3145,31 +3188,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:73
+#: pam_sss.8.xml:84
 msgid "<option>use_authtok</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:76
+#: pam_sss.8.xml:87
 msgid ""
 "When password changing enforce the module to set the new password to the one "
 "provided by a previously stacked password module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:83
+#: pam_sss.8.xml:94
 msgid "<option>retry=N</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:86
+#: pam_sss.8.xml:97
 msgid ""
 "If specified the user is asked another N times for a password if "
 "authentication fails. Default is 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:88
+#: pam_sss.8.xml:99
 msgid ""
 "Please note that this option might not work as expected if the application "
 "calling PAM handles the user dialog on its own. A typical example is "
@@ -3177,24 +3220,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:99
+#: pam_sss.8.xml:110
 msgid "MODULE TYPES PROVIDED"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:100
+#: pam_sss.8.xml:111
 msgid ""
 "All module types (<option>account</option>, <option>auth</option>, "
 "<option>password</option> and <option>session</option>) are provided."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:106
+#: pam_sss.8.xml:117
 msgid "FILES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:107
+#: pam_sss.8.xml:118
 msgid ""
 "If a password reset by root fails, because the corresponding SSSD provider "
 "does not support password resets, an individual message can be displayed. "
@@ -3202,7 +3245,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:112
+#: pam_sss.8.xml:123
 msgid ""
 "The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
 "filename> where LOC stands for a locale string returned by <citerefentry> "
@@ -3214,7 +3257,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:122
+#: pam_sss.8.xml:133
 msgid ""
 "These files are searched in the directory <filename>/etc/sssd/customize/"
 "DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
@@ -3222,7 +3265,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:130
+#: pam_sss.8.xml:141
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>8</"
 "manvolnum> </citerefentry>"
@@ -3482,11 +3525,11 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ipa.5.xml:83
 msgid ""
-"The list of IP addresses or hostnames of the IPA servers to which SSSD "
-"should connect in the order of preference. For more information on failover "
-"and server redundancy, see the <quote>FAILOVER</quote> section.  This is "
-"optional if autodiscovery is enabled.  For more information on service "
-"discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
+"The comma-separated list of IP addresses or hostnames of the IPA servers to "
+"which SSSD should connect in the order of preference. For more information "
+"on failover and server redundancy, see the <quote>FAILOVER</quote> section.  "
+"This is optional if autodiscovery is enabled.  For more information on "
+"service discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
@@ -4302,48 +4345,50 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:262
 msgid ""
-"Please note that this feature currently only available on a Linux platform."
+"Please note that this feature currently only available on a Linux platform. "
+"Passwords stored in this way are kept in plaintext in the kernel keyring and "
+"are potentially accessible by the root user (with difficulty)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:272
+#: sssd-krb5.5.xml:275
 msgid "krb5_renewable_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:275
+#: sssd-krb5.5.xml:278
 msgid ""
 "Request a renewable ticket with a total lifetime given by an integer "
 "immediately followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:280 sssd-krb5.5.xml:316
+#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
 msgid "<emphasis>s</emphasis> seconds"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
+#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
 msgid "<emphasis>m</emphasis> minutes"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
+#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
 msgid "<emphasis>h</emphasis> hours"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
+#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
 msgid "<emphasis>d</emphasis> days."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
+#: sssd-krb5.5.xml:295 sssd-krb5.5.xml:331
 msgid "If there is no delimiter <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:296
+#: sssd-krb5.5.xml:299
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "renewable lifetime to one and a half hours please use '90m' instead of "
@@ -4351,97 +4396,97 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:302
+#: sssd-krb5.5.xml:305
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:308
+#: sssd-krb5.5.xml:311
 msgid "krb5_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:311
+#: sssd-krb5.5.xml:314
 msgid ""
 "Request ticket with a with a lifetime given by an integer immediately "
 "followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:332
+#: sssd-krb5.5.xml:335
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "lifetime to one and a half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:337
+#: sssd-krb5.5.xml:340
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:344
+#: sssd-krb5.5.xml:347
 msgid "krb5_renew_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:347
+#: sssd-krb5.5.xml:350
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:352
+#: sssd-krb5.5.xml:355
 msgid "If this option is not set or 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:362
+#: sssd-krb5.5.xml:365
 msgid "krb5_use_fast (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:365
+#: sssd-krb5.5.xml:368
 msgid ""
 "Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
 "authentication. The following options are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:370
+#: sssd-krb5.5.xml:373
 msgid ""
 "<emphasis>never</emphasis> use FAST, this is equivalent to not set this "
 "option at all."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:374
+#: sssd-krb5.5.xml:377
 msgid ""
 "<emphasis>try</emphasis> to use FAST, if the server does not support fast "
 "continue without."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:378
+#: sssd-krb5.5.xml:381
 msgid ""
 "<emphasis>demand</emphasis> to use FAST, fail if the server does not require "
 "fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:382
+#: sssd-krb5.5.xml:385
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:385
+#: sssd-krb5.5.xml:388
 msgid "Please note that a keytab is required to use fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:388
+#: sssd-krb5.5.xml:391
 msgid ""
 "Please note also that sssd supports fast only with MIT Kerberos version 1.8 "
 "and above. If sssd used used with an older version using this option is a "
@@ -4459,7 +4504,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:407
+#: sssd-krb5.5.xml:410
 msgid ""
 "The following example assumes that SSSD is correctly configured and FOO is "
 "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
@@ -4468,7 +4513,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-krb5.5.xml:415
+#: sssd-krb5.5.xml:418
 #, no-wrap
 msgid ""
 "    [domain/FOO]\n"
@@ -4478,7 +4523,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:426
+#: sssd-krb5.5.xml:429
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
diff --git a/src/man/po/gu.po b/src/man/po/gu.po
index 77b46dec..5499ef1f 100644
--- a/src/man/po/gu.po
+++ b/src/man/po/gu.po
@@ -2,12 +2,13 @@
 # Copyright (C) YEAR Red Hat
 # This file is distributed under the same license as the sssd-docs package.
 #
+# Translators:
 msgid ""
 msgstr ""
 "Project-Id-Version: SSSD\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2011-08-29 10:42-0300\n"
-"PO-Revision-Date: 2011-08-05 11:37+0000\n"
+"POT-Creation-Date: 2011-10-18 13:34-0300\n"
+"PO-Revision-Date: 2010-12-23 15:35+0000\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Gujarati <trans-gu@lists.fedoraproject.org>\n"
 "Language: gu\n"
@@ -52,7 +53,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:41
+#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:44
 #: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21
 #: sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_useradd.8.xml:30
 #: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30
@@ -68,7 +69,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:39 pam_sss.8.xml:48 sssd.8.xml:42 sss_obfuscate.8.xml:58
+#: sss_groupmod.8.xml:39 pam_sss.8.xml:51 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
 msgid "OPTIONS"
@@ -104,10 +105,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1106 sssd-ldap.5.xml:1432
-#: pam_sss.8.xml:128 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
+#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1130 sssd-ldap.5.xml:1432
+#: pam_sss.8.xml:139 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
 #: sssd-ipa.5.xml:248 sssd.8.xml:166 sss_obfuscate.8.xml:103
-#: sss_useradd.8.xml:167 sssd-krb5.5.xml:424 sss_groupadd.8.xml:58
+#: sss_useradd.8.xml:167 sssd-krb5.5.xml:427 sss_groupadd.8.xml:58
 #: sss_userdel.8.xml:93 sss_groupdel.8.xml:46 sss_groupshow.8.xml:58
 #: sss_usermod.8.xml:138
 msgid "SEE ALSO"
@@ -213,7 +214,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:70 sssd.conf.5.xml:952
+#: sssd.conf.5.xml:70 sssd.conf.5.xml:976
 msgid "Section parameters"
 msgstr ""
 
@@ -246,19 +247,19 @@ msgid "Supported services: nss, pam"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:93 sssd.conf.5.xml:234
+#: sssd.conf.5.xml:93 sssd.conf.5.xml:254
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:96 sssd.conf.5.xml:237
+#: sssd.conf.5.xml:96 sssd.conf.5.xml:257
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:101 sssd.conf.5.xml:242
+#: sssd.conf.5.xml:101 sssd.conf.5.xml:262
 msgid "Default: 3"
 msgstr ""
 
@@ -365,6 +366,32 @@ msgid ""
 "unavailable. On these platforms, polling will always be used."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:189
+msgid "krb5_rcache_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:192
+msgid ""
+"Directory on the filesystem where SSSD should store Kerberos replay cache "
+"files."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:196
+msgid ""
+"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
+"SSSD to let libkrb5 decide the appropriate location for the replay cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:202
+msgid ""
+"Default: Distribution-specific and specified at build-time. "
+"(__LIBKRB5_DEFAULTS__ if not configured)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:63
 msgid ""
@@ -377,12 +404,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:195
+#: sssd.conf.5.xml:215
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:197
+#: sssd.conf.5.xml:217
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -391,55 +418,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:204
+#: sssd.conf.5.xml:224
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:206
+#: sssd.conf.5.xml:226
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:210
+#: sssd.conf.5.xml:230
 msgid "debug_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:213
+#: sssd.conf.5.xml:233
 msgid ""
 "Sets the debug level for the service. The value can be in range from 0 (only "
 "critical messages) to 10 (very verbose)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:218 sssd.conf.5.xml:312
+#: sssd.conf.5.xml:238 sssd.conf.5.xml:332
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:223 sssd.8.xml:58
+#: sssd.conf.5.xml:243 sssd.8.xml:58
 msgid "debug_timestamps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:226 sssd.8.xml:61
+#: sssd.conf.5.xml:246 sssd.8.xml:61
 msgid "Add a timestamp to the debug messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:229 sssd.conf.5.xml:353 sssd-ldap.5.xml:1058
+#: sssd.conf.5.xml:249 sssd.conf.5.xml:373 sssd-ldap.5.xml:1058
 #: sssd-ldap.5.xml:1163 sssd-ipa.5.xml:155
 msgid "Default: true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:247
+#: sssd.conf.5.xml:267
 msgid "command (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:250
+#: sssd.conf.5.xml:270
 msgid ""
 "By default, the executable representing this service is called <command>sssd_"
 "${service_name}</command>.  This directive allows to change the executable "
@@ -448,45 +475,45 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:258
+#: sssd.conf.5.xml:278
 msgid "Default: <command>sssd_${service_name}</command>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:266
+#: sssd.conf.5.xml:286
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:268
+#: sssd.conf.5.xml:288
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:273
+#: sssd.conf.5.xml:293
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:276
+#: sssd.conf.5.xml:296
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:280
+#: sssd.conf.5.xml:300
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:285
+#: sssd.conf.5.xml:305
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:288
+#: sssd.conf.5.xml:308
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -494,7 +521,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:294
+#: sssd.conf.5.xml:314
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -504,7 +531,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304
+#: sssd.conf.5.xml:324
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -513,12 +540,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:317
+#: sssd.conf.5.xml:337
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:320
+#: sssd.conf.5.xml:340
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -526,17 +553,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:326 sssd-krb5.5.xml:223
+#: sssd.conf.5.xml:346 sssd-krb5.5.xml:223
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:331
+#: sssd.conf.5.xml:351
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:334
+#: sssd.conf.5.xml:354
 msgid ""
 "Exclude certain users from being fetched from the sss NSS database. This is "
 "particularly useful for system accounts. This option can also be set per-"
@@ -545,78 +572,78 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:341
+#: sssd.conf.5.xml:361
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:346
+#: sssd.conf.5.xml:366
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:369
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:358
+#: sssd.conf.5.xml:378
 msgid "override_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:367 sssd-krb5.5.xml:166
+#: sssd.conf.5.xml:387 sssd-krb5.5.xml:166
 msgid "%u"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:368 sssd-krb5.5.xml:167
+#: sssd.conf.5.xml:388 sssd-krb5.5.xml:167
 msgid "login name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:371 sssd-krb5.5.xml:170
+#: sssd.conf.5.xml:391 sssd-krb5.5.xml:170
 msgid "%U"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:392
 msgid "UID number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:375 sssd-krb5.5.xml:188
+#: sssd.conf.5.xml:395 sssd-krb5.5.xml:188
 msgid "%d"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:376
+#: sssd.conf.5.xml:396
 msgid "domain name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:379
+#: sssd.conf.5.xml:399
 msgid "%f"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:380
+#: sssd.conf.5.xml:400
 msgid "fully qualified user name (user@domain)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:383 sssd-krb5.5.xml:200
+#: sssd.conf.5.xml:403 sssd-krb5.5.xml:200
 msgid "%%"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:384 sssd-krb5.5.xml:201
+#: sssd.conf.5.xml:404 sssd-krb5.5.xml:201
 msgid "a literal '%'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:361
+#: sssd.conf.5.xml:381
 msgid ""
 "Override the user's home directory. You can either provide an absolute value "
 "or a template. In the template, the following sequences are substituted: "
@@ -624,138 +651,138 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:390
+#: sssd.conf.5.xml:410
 msgid "This option can also be set per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:395
+#: sssd.conf.5.xml:415
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:398
+#: sssd.conf.5.xml:418
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:401
+#: sssd.conf.5.xml:421
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:405
+#: sssd.conf.5.xml:425
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:410
+#: sssd.conf.5.xml:430
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:415
+#: sssd.conf.5.xml:435
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:418
+#: sssd.conf.5.xml:438
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:422
+#: sssd.conf.5.xml:442
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:427
+#: sssd.conf.5.xml:447
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:430
+#: sssd.conf.5.xml:450
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:435
+#: sssd.conf.5.xml:455
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:438
+#: sssd.conf.5.xml:458
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:442
+#: sssd.conf.5.xml:462
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:469
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:451
+#: sssd.conf.5.xml:471
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:456
+#: sssd.conf.5.xml:476
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:459
+#: sssd.conf.5.xml:479
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:464 sssd.conf.5.xml:477
+#: sssd.conf.5.xml:484 sssd.conf.5.xml:497
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:490
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:473
+#: sssd.conf.5.xml:493
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:483
+#: sssd.conf.5.xml:503
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:506
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:491
+#: sssd.conf.5.xml:511
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -763,59 +790,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:497 sssd.conf.5.xml:550 sssd.conf.5.xml:882
+#: sssd.conf.5.xml:517 sssd.conf.5.xml:570 sssd.conf.5.xml:906
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:523
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:506
+#: sssd.conf.5.xml:526
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:511
+#: sssd.conf.5.xml:531
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:514
+#: sssd.conf.5.xml:534
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:517
+#: sssd.conf.5.xml:537
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:541
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:524
+#: sssd.conf.5.xml:544
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:528
+#: sssd.conf.5.xml:548
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:533
+#: sssd.conf.5.xml:553
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:536
+#: sssd.conf.5.xml:556
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -823,7 +850,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:542
+#: sssd.conf.5.xml:562
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -832,17 +859,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:556
+#: sssd.conf.5.xml:576
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:559
+#: sssd.conf.5.xml:579
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:562
+#: sssd.conf.5.xml:582
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -850,29 +877,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:588
 msgid "Default: 7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:577
+#: sssd.conf.5.xml:597
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:584
+#: sssd.conf.5.xml:604
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:587
+#: sssd.conf.5.xml:607
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:592
+#: sssd.conf.5.xml:612
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -881,56 +908,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:599
+#: sssd.conf.5.xml:619
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:625
 msgid "timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:608
+#: sssd.conf.5.xml:628
 msgid ""
 "Timeout in seconds between heartbeats for this domain.  This is used to "
 "ensure that the backend process is alive and capable of answering requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:633
 msgid "Default: 10"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:639
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:642
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:626
+#: sssd.conf.5.xml:646
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:629
+#: sssd.conf.5.xml:649
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:632 sssd.conf.5.xml:680 sssd.conf.5.xml:734
+#: sssd.conf.5.xml:652 sssd.conf.5.xml:704 sssd.conf.5.xml:758
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:635
+#: sssd.conf.5.xml:655
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -940,14 +967,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:645
+#: sssd.conf.5.xml:665
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:650
+#: sssd.conf.5.xml:670
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -956,39 +983,44 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:661
+#: sssd.conf.5.xml:681
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:664
+#: sssd.conf.5.xml:684
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:688
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:693
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676
+#: sssd.conf.5.xml:696
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:700
+msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:685
+#: sssd.conf.5.xml:709
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:688
+#: sssd.conf.5.xml:712
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -997,47 +1029,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:695
+#: sssd.conf.5.xml:719
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:725
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:728
 msgid "The Data Provider identity backend to use for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:708
+#: sssd.conf.5.xml:732
 msgid "Supported backends:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:711
+#: sssd.conf.5.xml:735
 msgid "proxy: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:714
+#: sssd.conf.5.xml:738
 msgid "local: SSSD internal local provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:717
+#: sssd.conf.5.xml:741
 msgid "ldap: LDAP provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:747
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:750
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -1046,19 +1078,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:739
+#: sssd.conf.5.xml:763
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:766
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:746
+#: sssd.conf.5.xml:770
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1066,7 +1098,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:777
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1074,30 +1106,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:784
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:787
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:766
+#: sssd.conf.5.xml:790
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:796
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:775
+#: sssd.conf.5.xml:799
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -1105,17 +1137,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:781
+#: sssd.conf.5.xml:805
 msgid "<quote>permit</quote> always allow access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:784
+#: sssd.conf.5.xml:808
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:811
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -1124,24 +1156,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:818
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:823
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:826
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:831
 msgid ""
 "<quote>ipa</quote> to change a password stored in an IPA server.  See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -1149,7 +1181,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:815
+#: sssd.conf.5.xml:839
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -1157,7 +1189,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:823
+#: sssd.conf.5.xml:847
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1165,72 +1197,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:831
+#: sssd.conf.5.xml:855
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:835
+#: sssd.conf.5.xml:859
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838
+#: sssd.conf.5.xml:862
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:845
+#: sssd.conf.5.xml:869
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:848
+#: sssd.conf.5.xml:872
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:876
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:855
+#: sssd.conf.5.xml:879
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:858
+#: sssd.conf.5.xml:882
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:861
+#: sssd.conf.5.xml:885
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:864
+#: sssd.conf.5.xml:888
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:867
+#: sssd.conf.5.xml:891
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:873
+#: sssd.conf.5.xml:897
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:876
+#: sssd.conf.5.xml:900
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -1238,34 +1270,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:912
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:891
+#: sssd.conf.5.xml:915
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:919
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:901
+#: sssd.conf.5.xml:925
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:904
+#: sssd.conf.5.xml:928
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:579
+#: sssd.conf.5.xml:599
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -1273,29 +1305,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:940
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:943
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:922
+#: sssd.conf.5.xml:946
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:954
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:933
+#: sssd.conf.5.xml:957
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -1303,19 +1335,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:912
+#: sssd.conf.5.xml:936
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:945
+#: sssd.conf.5.xml:969
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:971
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -1323,73 +1355,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:954
+#: sssd.conf.5.xml:978
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:981
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:985
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:966
+#: sssd.conf.5.xml:990
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:969
+#: sssd.conf.5.xml:993
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974
+#: sssd.conf.5.xml:998
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1003
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1006
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986 sssd.conf.5.xml:998
+#: sssd.conf.5.xml:1010 sssd.conf.5.xml:1022
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:991
+#: sssd.conf.5.xml:1015
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:994
+#: sssd.conf.5.xml:1018
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1003
+#: sssd.conf.5.xml:1027
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1030
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -1397,17 +1429,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014
+#: sssd.conf.5.xml:1038
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1043
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1022
+#: sssd.conf.5.xml:1046
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -1416,17 +1448,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:1056
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1037
+#: sssd.conf.5.xml:1061
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1040
+#: sssd.conf.5.xml:1064
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -1434,17 +1466,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1047
+#: sssd.conf.5.xml:1071
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1076
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1055
+#: sssd.conf.5.xml:1079
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -1452,18 +1484,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1061
+#: sssd.conf.5.xml:1085
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1071 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
-#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:405
+#: sssd.conf.5.xml:1095 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
+#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:408
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:1077
+#: sssd.conf.5.xml:1101
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -1493,7 +1525,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1073
+#: sssd.conf.5.xml:1097
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -1502,7 +1534,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1108
+#: sssd.conf.5.xml:1132
 msgid ""
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
@@ -1602,10 +1634,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:88
 msgid ""
-"Specifies the list of URIs of the LDAP servers to which SSSD should connect "
-"in the order of preference to change the password of a user. Refer to the "
-"<quote>FAILOVER</quote> section for more information on failover and server "
-"redundancy."
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference to change the password of a user. "
+"Refer to the <quote>FAILOVER</quote> section for more information on "
+"failover and server redundancy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -2085,7 +2117,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:519 sssd-ldap.5.xml:990 sssd-ipa.5.xml:115 sssd.8.xml:64
-#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:266
+#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:269
 msgid "Default: false"
 msgstr ""
 
@@ -2526,7 +2558,7 @@ msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:356
+#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:359
 msgid "Default: not set"
 msgstr ""
 
@@ -2667,12 +2699,13 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:1080 sssd-krb5.5.xml:77
 msgid ""
-"Specifies the list of IP addresses or hostnames of the Kerberos servers to "
-"which SSSD should connect in the order of preference. For more information "
-"on failover and server redundancy, see the <quote>FAILOVER</quote> section. "
-"An optional port number (preceded by a colon) may be appended to the "
-"addresses or hostnames.  If empty, service discovery is enabled - for more "
-"information, refer to the <quote>SERVICE DISCOVERY</quote> section."
+"Specifies the comma-separated list of IP addresses or hostnames of the "
+"Kerberos servers to which SSSD should connect in the order of preference. "
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
+"colon) may be appended to the addresses or hostnames.  If empty, service "
+"discovery is enabled - for more information, refer to the <quote>SERVICE "
+"DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -3057,7 +3090,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ldap.5.xml:1407 sssd-simple.5.xml:134 sssd-ipa.5.xml:238
-#: sssd-krb5.5.xml:414
+#: sssd-krb5.5.xml:417
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -3104,7 +3137,8 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
 #: pam_sss.8.xml:24
 msgid ""
-"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>forward_pass</"
+"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
@@ -3112,7 +3146,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:42
+#: pam_sss.8.xml:45
 msgid ""
 "<command>pam_sss.so</command> is the PAM interface to the System Security "
 "Services daemon (SSSD). Errors and results are logged through <command>syslog"
@@ -3120,24 +3154,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:52
+#: pam_sss.8.xml:55
+msgid "<option>quiet</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:58
+msgid "Suppress log messages for unknown users."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:63
 msgid "<option>forward_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:55
+#: pam_sss.8.xml:66
 msgid ""
 "If <option>forward_pass</option> is set the entered password is put on the "
 "stack for other PAM modules to use."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:62
+#: pam_sss.8.xml:73
 msgid "<option>use_first_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:65
+#: pam_sss.8.xml:76
 msgid ""
 "The argument use_first_pass forces the module to use a previous stacked "
 "modules password and will never prompt the user - if no password is "
@@ -3145,31 +3189,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:73
+#: pam_sss.8.xml:84
 msgid "<option>use_authtok</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:76
+#: pam_sss.8.xml:87
 msgid ""
 "When password changing enforce the module to set the new password to the one "
 "provided by a previously stacked password module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:83
+#: pam_sss.8.xml:94
 msgid "<option>retry=N</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:86
+#: pam_sss.8.xml:97
 msgid ""
 "If specified the user is asked another N times for a password if "
 "authentication fails. Default is 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:88
+#: pam_sss.8.xml:99
 msgid ""
 "Please note that this option might not work as expected if the application "
 "calling PAM handles the user dialog on its own. A typical example is "
@@ -3177,24 +3221,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:99
+#: pam_sss.8.xml:110
 msgid "MODULE TYPES PROVIDED"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:100
+#: pam_sss.8.xml:111
 msgid ""
 "All module types (<option>account</option>, <option>auth</option>, "
 "<option>password</option> and <option>session</option>) are provided."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:106
+#: pam_sss.8.xml:117
 msgid "FILES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:107
+#: pam_sss.8.xml:118
 msgid ""
 "If a password reset by root fails, because the corresponding SSSD provider "
 "does not support password resets, an individual message can be displayed. "
@@ -3202,7 +3246,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:112
+#: pam_sss.8.xml:123
 msgid ""
 "The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
 "filename> where LOC stands for a locale string returned by <citerefentry> "
@@ -3214,7 +3258,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:122
+#: pam_sss.8.xml:133
 msgid ""
 "These files are searched in the directory <filename>/etc/sssd/customize/"
 "DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
@@ -3222,7 +3266,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:130
+#: pam_sss.8.xml:141
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>8</"
 "manvolnum> </citerefentry>"
@@ -3482,11 +3526,11 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ipa.5.xml:83
 msgid ""
-"The list of IP addresses or hostnames of the IPA servers to which SSSD "
-"should connect in the order of preference. For more information on failover "
-"and server redundancy, see the <quote>FAILOVER</quote> section.  This is "
-"optional if autodiscovery is enabled.  For more information on service "
-"discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
+"The comma-separated list of IP addresses or hostnames of the IPA servers to "
+"which SSSD should connect in the order of preference. For more information "
+"on failover and server redundancy, see the <quote>FAILOVER</quote> section.  "
+"This is optional if autodiscovery is enabled.  For more information on "
+"service discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
@@ -4302,48 +4346,50 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:262
 msgid ""
-"Please note that this feature currently only available on a Linux platform."
+"Please note that this feature currently only available on a Linux platform. "
+"Passwords stored in this way are kept in plaintext in the kernel keyring and "
+"are potentially accessible by the root user (with difficulty)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:272
+#: sssd-krb5.5.xml:275
 msgid "krb5_renewable_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:275
+#: sssd-krb5.5.xml:278
 msgid ""
 "Request a renewable ticket with a total lifetime given by an integer "
 "immediately followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:280 sssd-krb5.5.xml:316
+#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
 msgid "<emphasis>s</emphasis> seconds"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
+#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
 msgid "<emphasis>m</emphasis> minutes"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
+#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
 msgid "<emphasis>h</emphasis> hours"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
+#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
 msgid "<emphasis>d</emphasis> days."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
+#: sssd-krb5.5.xml:295 sssd-krb5.5.xml:331
 msgid "If there is no delimiter <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:296
+#: sssd-krb5.5.xml:299
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "renewable lifetime to one and a half hours please use '90m' instead of "
@@ -4351,97 +4397,97 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:302
+#: sssd-krb5.5.xml:305
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:308
+#: sssd-krb5.5.xml:311
 msgid "krb5_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:311
+#: sssd-krb5.5.xml:314
 msgid ""
 "Request ticket with a with a lifetime given by an integer immediately "
 "followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:332
+#: sssd-krb5.5.xml:335
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "lifetime to one and a half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:337
+#: sssd-krb5.5.xml:340
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:344
+#: sssd-krb5.5.xml:347
 msgid "krb5_renew_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:347
+#: sssd-krb5.5.xml:350
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:352
+#: sssd-krb5.5.xml:355
 msgid "If this option is not set or 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:362
+#: sssd-krb5.5.xml:365
 msgid "krb5_use_fast (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:365
+#: sssd-krb5.5.xml:368
 msgid ""
 "Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
 "authentication. The following options are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:370
+#: sssd-krb5.5.xml:373
 msgid ""
 "<emphasis>never</emphasis> use FAST, this is equivalent to not set this "
 "option at all."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:374
+#: sssd-krb5.5.xml:377
 msgid ""
 "<emphasis>try</emphasis> to use FAST, if the server does not support fast "
 "continue without."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:378
+#: sssd-krb5.5.xml:381
 msgid ""
 "<emphasis>demand</emphasis> to use FAST, fail if the server does not require "
 "fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:382
+#: sssd-krb5.5.xml:385
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:385
+#: sssd-krb5.5.xml:388
 msgid "Please note that a keytab is required to use fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:388
+#: sssd-krb5.5.xml:391
 msgid ""
 "Please note also that sssd supports fast only with MIT Kerberos version 1.8 "
 "and above. If sssd used used with an older version using this option is a "
@@ -4459,7 +4505,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:407
+#: sssd-krb5.5.xml:410
 msgid ""
 "The following example assumes that SSSD is correctly configured and FOO is "
 "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
@@ -4468,7 +4514,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-krb5.5.xml:415
+#: sssd-krb5.5.xml:418
 #, no-wrap
 msgid ""
 "    [domain/FOO]\n"
@@ -4478,7 +4524,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:426
+#: sssd-krb5.5.xml:429
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
diff --git a/src/man/po/he.po b/src/man/po/he.po
index 3724f75e..1a2d372b 100644
--- a/src/man/po/he.po
+++ b/src/man/po/he.po
@@ -2,12 +2,13 @@
 # Copyright (C) YEAR Red Hat
 # This file is distributed under the same license as the sssd-docs package.
 #
+# Translators:
 msgid ""
 msgstr ""
 "Project-Id-Version: SSSD\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2011-08-29 10:42-0300\n"
-"PO-Revision-Date: 2011-08-05 11:40+0000\n"
+"POT-Creation-Date: 2011-10-18 13:34-0300\n"
+"PO-Revision-Date: 2010-12-23 15:35+0000\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Hebrew <he-users@lists.fedoraproject.org>\n"
 "Language: he\n"
@@ -52,7 +53,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:41
+#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:44
 #: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21
 #: sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_useradd.8.xml:30
 #: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30
@@ -68,7 +69,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:39 pam_sss.8.xml:48 sssd.8.xml:42 sss_obfuscate.8.xml:58
+#: sss_groupmod.8.xml:39 pam_sss.8.xml:51 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
 msgid "OPTIONS"
@@ -104,10 +105,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1106 sssd-ldap.5.xml:1432
-#: pam_sss.8.xml:128 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
+#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1130 sssd-ldap.5.xml:1432
+#: pam_sss.8.xml:139 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
 #: sssd-ipa.5.xml:248 sssd.8.xml:166 sss_obfuscate.8.xml:103
-#: sss_useradd.8.xml:167 sssd-krb5.5.xml:424 sss_groupadd.8.xml:58
+#: sss_useradd.8.xml:167 sssd-krb5.5.xml:427 sss_groupadd.8.xml:58
 #: sss_userdel.8.xml:93 sss_groupdel.8.xml:46 sss_groupshow.8.xml:58
 #: sss_usermod.8.xml:138
 msgid "SEE ALSO"
@@ -213,7 +214,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:70 sssd.conf.5.xml:952
+#: sssd.conf.5.xml:70 sssd.conf.5.xml:976
 msgid "Section parameters"
 msgstr ""
 
@@ -246,19 +247,19 @@ msgid "Supported services: nss, pam"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:93 sssd.conf.5.xml:234
+#: sssd.conf.5.xml:93 sssd.conf.5.xml:254
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:96 sssd.conf.5.xml:237
+#: sssd.conf.5.xml:96 sssd.conf.5.xml:257
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:101 sssd.conf.5.xml:242
+#: sssd.conf.5.xml:101 sssd.conf.5.xml:262
 msgid "Default: 3"
 msgstr ""
 
@@ -365,6 +366,32 @@ msgid ""
 "unavailable. On these platforms, polling will always be used."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:189
+msgid "krb5_rcache_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:192
+msgid ""
+"Directory on the filesystem where SSSD should store Kerberos replay cache "
+"files."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:196
+msgid ""
+"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
+"SSSD to let libkrb5 decide the appropriate location for the replay cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:202
+msgid ""
+"Default: Distribution-specific and specified at build-time. "
+"(__LIBKRB5_DEFAULTS__ if not configured)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:63
 msgid ""
@@ -377,12 +404,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:195
+#: sssd.conf.5.xml:215
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:197
+#: sssd.conf.5.xml:217
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -391,55 +418,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:204
+#: sssd.conf.5.xml:224
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:206
+#: sssd.conf.5.xml:226
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:210
+#: sssd.conf.5.xml:230
 msgid "debug_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:213
+#: sssd.conf.5.xml:233
 msgid ""
 "Sets the debug level for the service. The value can be in range from 0 (only "
 "critical messages) to 10 (very verbose)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:218 sssd.conf.5.xml:312
+#: sssd.conf.5.xml:238 sssd.conf.5.xml:332
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:223 sssd.8.xml:58
+#: sssd.conf.5.xml:243 sssd.8.xml:58
 msgid "debug_timestamps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:226 sssd.8.xml:61
+#: sssd.conf.5.xml:246 sssd.8.xml:61
 msgid "Add a timestamp to the debug messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:229 sssd.conf.5.xml:353 sssd-ldap.5.xml:1058
+#: sssd.conf.5.xml:249 sssd.conf.5.xml:373 sssd-ldap.5.xml:1058
 #: sssd-ldap.5.xml:1163 sssd-ipa.5.xml:155
 msgid "Default: true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:247
+#: sssd.conf.5.xml:267
 msgid "command (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:250
+#: sssd.conf.5.xml:270
 msgid ""
 "By default, the executable representing this service is called <command>sssd_"
 "${service_name}</command>.  This directive allows to change the executable "
@@ -448,45 +475,45 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:258
+#: sssd.conf.5.xml:278
 msgid "Default: <command>sssd_${service_name}</command>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:266
+#: sssd.conf.5.xml:286
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:268
+#: sssd.conf.5.xml:288
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:273
+#: sssd.conf.5.xml:293
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:276
+#: sssd.conf.5.xml:296
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:280
+#: sssd.conf.5.xml:300
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:285
+#: sssd.conf.5.xml:305
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:288
+#: sssd.conf.5.xml:308
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -494,7 +521,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:294
+#: sssd.conf.5.xml:314
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -504,7 +531,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304
+#: sssd.conf.5.xml:324
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -513,12 +540,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:317
+#: sssd.conf.5.xml:337
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:320
+#: sssd.conf.5.xml:340
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -526,17 +553,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:326 sssd-krb5.5.xml:223
+#: sssd.conf.5.xml:346 sssd-krb5.5.xml:223
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:331
+#: sssd.conf.5.xml:351
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:334
+#: sssd.conf.5.xml:354
 msgid ""
 "Exclude certain users from being fetched from the sss NSS database. This is "
 "particularly useful for system accounts. This option can also be set per-"
@@ -545,78 +572,78 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:341
+#: sssd.conf.5.xml:361
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:346
+#: sssd.conf.5.xml:366
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:369
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:358
+#: sssd.conf.5.xml:378
 msgid "override_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:367 sssd-krb5.5.xml:166
+#: sssd.conf.5.xml:387 sssd-krb5.5.xml:166
 msgid "%u"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:368 sssd-krb5.5.xml:167
+#: sssd.conf.5.xml:388 sssd-krb5.5.xml:167
 msgid "login name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:371 sssd-krb5.5.xml:170
+#: sssd.conf.5.xml:391 sssd-krb5.5.xml:170
 msgid "%U"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:392
 msgid "UID number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:375 sssd-krb5.5.xml:188
+#: sssd.conf.5.xml:395 sssd-krb5.5.xml:188
 msgid "%d"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:376
+#: sssd.conf.5.xml:396
 msgid "domain name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:379
+#: sssd.conf.5.xml:399
 msgid "%f"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:380
+#: sssd.conf.5.xml:400
 msgid "fully qualified user name (user@domain)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:383 sssd-krb5.5.xml:200
+#: sssd.conf.5.xml:403 sssd-krb5.5.xml:200
 msgid "%%"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:384 sssd-krb5.5.xml:201
+#: sssd.conf.5.xml:404 sssd-krb5.5.xml:201
 msgid "a literal '%'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:361
+#: sssd.conf.5.xml:381
 msgid ""
 "Override the user's home directory. You can either provide an absolute value "
 "or a template. In the template, the following sequences are substituted: "
@@ -624,138 +651,138 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:390
+#: sssd.conf.5.xml:410
 msgid "This option can also be set per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:395
+#: sssd.conf.5.xml:415
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:398
+#: sssd.conf.5.xml:418
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:401
+#: sssd.conf.5.xml:421
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:405
+#: sssd.conf.5.xml:425
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:410
+#: sssd.conf.5.xml:430
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:415
+#: sssd.conf.5.xml:435
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:418
+#: sssd.conf.5.xml:438
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:422
+#: sssd.conf.5.xml:442
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:427
+#: sssd.conf.5.xml:447
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:430
+#: sssd.conf.5.xml:450
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:435
+#: sssd.conf.5.xml:455
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:438
+#: sssd.conf.5.xml:458
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:442
+#: sssd.conf.5.xml:462
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:469
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:451
+#: sssd.conf.5.xml:471
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:456
+#: sssd.conf.5.xml:476
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:459
+#: sssd.conf.5.xml:479
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:464 sssd.conf.5.xml:477
+#: sssd.conf.5.xml:484 sssd.conf.5.xml:497
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:490
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:473
+#: sssd.conf.5.xml:493
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:483
+#: sssd.conf.5.xml:503
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:506
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:491
+#: sssd.conf.5.xml:511
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -763,59 +790,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:497 sssd.conf.5.xml:550 sssd.conf.5.xml:882
+#: sssd.conf.5.xml:517 sssd.conf.5.xml:570 sssd.conf.5.xml:906
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:523
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:506
+#: sssd.conf.5.xml:526
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:511
+#: sssd.conf.5.xml:531
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:514
+#: sssd.conf.5.xml:534
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:517
+#: sssd.conf.5.xml:537
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:541
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:524
+#: sssd.conf.5.xml:544
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:528
+#: sssd.conf.5.xml:548
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:533
+#: sssd.conf.5.xml:553
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:536
+#: sssd.conf.5.xml:556
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -823,7 +850,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:542
+#: sssd.conf.5.xml:562
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -832,17 +859,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:556
+#: sssd.conf.5.xml:576
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:559
+#: sssd.conf.5.xml:579
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:562
+#: sssd.conf.5.xml:582
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -850,29 +877,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:588
 msgid "Default: 7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:577
+#: sssd.conf.5.xml:597
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:584
+#: sssd.conf.5.xml:604
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:587
+#: sssd.conf.5.xml:607
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:592
+#: sssd.conf.5.xml:612
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -881,56 +908,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:599
+#: sssd.conf.5.xml:619
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:625
 msgid "timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:608
+#: sssd.conf.5.xml:628
 msgid ""
 "Timeout in seconds between heartbeats for this domain.  This is used to "
 "ensure that the backend process is alive and capable of answering requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:633
 msgid "Default: 10"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:639
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:642
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:626
+#: sssd.conf.5.xml:646
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:629
+#: sssd.conf.5.xml:649
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:632 sssd.conf.5.xml:680 sssd.conf.5.xml:734
+#: sssd.conf.5.xml:652 sssd.conf.5.xml:704 sssd.conf.5.xml:758
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:635
+#: sssd.conf.5.xml:655
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -940,14 +967,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:645
+#: sssd.conf.5.xml:665
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:650
+#: sssd.conf.5.xml:670
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -956,39 +983,44 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:661
+#: sssd.conf.5.xml:681
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:664
+#: sssd.conf.5.xml:684
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:688
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:693
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676
+#: sssd.conf.5.xml:696
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:700
+msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:685
+#: sssd.conf.5.xml:709
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:688
+#: sssd.conf.5.xml:712
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -997,47 +1029,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:695
+#: sssd.conf.5.xml:719
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:725
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:728
 msgid "The Data Provider identity backend to use for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:708
+#: sssd.conf.5.xml:732
 msgid "Supported backends:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:711
+#: sssd.conf.5.xml:735
 msgid "proxy: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:714
+#: sssd.conf.5.xml:738
 msgid "local: SSSD internal local provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:717
+#: sssd.conf.5.xml:741
 msgid "ldap: LDAP provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:747
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:750
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -1046,19 +1078,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:739
+#: sssd.conf.5.xml:763
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:766
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:746
+#: sssd.conf.5.xml:770
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1066,7 +1098,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:777
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1074,30 +1106,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:784
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:787
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:766
+#: sssd.conf.5.xml:790
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:796
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:775
+#: sssd.conf.5.xml:799
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -1105,17 +1137,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:781
+#: sssd.conf.5.xml:805
 msgid "<quote>permit</quote> always allow access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:784
+#: sssd.conf.5.xml:808
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:811
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -1124,24 +1156,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:818
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:823
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:826
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:831
 msgid ""
 "<quote>ipa</quote> to change a password stored in an IPA server.  See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -1149,7 +1181,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:815
+#: sssd.conf.5.xml:839
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -1157,7 +1189,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:823
+#: sssd.conf.5.xml:847
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1165,72 +1197,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:831
+#: sssd.conf.5.xml:855
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:835
+#: sssd.conf.5.xml:859
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838
+#: sssd.conf.5.xml:862
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:845
+#: sssd.conf.5.xml:869
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:848
+#: sssd.conf.5.xml:872
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:876
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:855
+#: sssd.conf.5.xml:879
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:858
+#: sssd.conf.5.xml:882
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:861
+#: sssd.conf.5.xml:885
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:864
+#: sssd.conf.5.xml:888
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:867
+#: sssd.conf.5.xml:891
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:873
+#: sssd.conf.5.xml:897
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:876
+#: sssd.conf.5.xml:900
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -1238,34 +1270,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:912
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:891
+#: sssd.conf.5.xml:915
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:919
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:901
+#: sssd.conf.5.xml:925
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:904
+#: sssd.conf.5.xml:928
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:579
+#: sssd.conf.5.xml:599
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -1273,29 +1305,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:940
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:943
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:922
+#: sssd.conf.5.xml:946
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:954
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:933
+#: sssd.conf.5.xml:957
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -1303,19 +1335,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:912
+#: sssd.conf.5.xml:936
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:945
+#: sssd.conf.5.xml:969
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:971
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -1323,73 +1355,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:954
+#: sssd.conf.5.xml:978
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:981
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:985
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:966
+#: sssd.conf.5.xml:990
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:969
+#: sssd.conf.5.xml:993
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974
+#: sssd.conf.5.xml:998
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1003
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1006
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986 sssd.conf.5.xml:998
+#: sssd.conf.5.xml:1010 sssd.conf.5.xml:1022
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:991
+#: sssd.conf.5.xml:1015
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:994
+#: sssd.conf.5.xml:1018
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1003
+#: sssd.conf.5.xml:1027
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1030
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -1397,17 +1429,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014
+#: sssd.conf.5.xml:1038
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1043
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1022
+#: sssd.conf.5.xml:1046
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -1416,17 +1448,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:1056
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1037
+#: sssd.conf.5.xml:1061
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1040
+#: sssd.conf.5.xml:1064
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -1434,17 +1466,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1047
+#: sssd.conf.5.xml:1071
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1076
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1055
+#: sssd.conf.5.xml:1079
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -1452,18 +1484,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1061
+#: sssd.conf.5.xml:1085
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1071 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
-#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:405
+#: sssd.conf.5.xml:1095 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
+#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:408
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:1077
+#: sssd.conf.5.xml:1101
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -1493,7 +1525,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1073
+#: sssd.conf.5.xml:1097
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -1502,7 +1534,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1108
+#: sssd.conf.5.xml:1132
 msgid ""
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
@@ -1602,10 +1634,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:88
 msgid ""
-"Specifies the list of URIs of the LDAP servers to which SSSD should connect "
-"in the order of preference to change the password of a user. Refer to the "
-"<quote>FAILOVER</quote> section for more information on failover and server "
-"redundancy."
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference to change the password of a user. "
+"Refer to the <quote>FAILOVER</quote> section for more information on "
+"failover and server redundancy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -2085,7 +2117,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:519 sssd-ldap.5.xml:990 sssd-ipa.5.xml:115 sssd.8.xml:64
-#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:266
+#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:269
 msgid "Default: false"
 msgstr ""
 
@@ -2526,7 +2558,7 @@ msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:356
+#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:359
 msgid "Default: not set"
 msgstr ""
 
@@ -2667,12 +2699,13 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:1080 sssd-krb5.5.xml:77
 msgid ""
-"Specifies the list of IP addresses or hostnames of the Kerberos servers to "
-"which SSSD should connect in the order of preference. For more information "
-"on failover and server redundancy, see the <quote>FAILOVER</quote> section. "
-"An optional port number (preceded by a colon) may be appended to the "
-"addresses or hostnames.  If empty, service discovery is enabled - for more "
-"information, refer to the <quote>SERVICE DISCOVERY</quote> section."
+"Specifies the comma-separated list of IP addresses or hostnames of the "
+"Kerberos servers to which SSSD should connect in the order of preference. "
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
+"colon) may be appended to the addresses or hostnames.  If empty, service "
+"discovery is enabled - for more information, refer to the <quote>SERVICE "
+"DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -3057,7 +3090,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ldap.5.xml:1407 sssd-simple.5.xml:134 sssd-ipa.5.xml:238
-#: sssd-krb5.5.xml:414
+#: sssd-krb5.5.xml:417
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -3104,7 +3137,8 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
 #: pam_sss.8.xml:24
 msgid ""
-"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>forward_pass</"
+"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
@@ -3112,7 +3146,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:42
+#: pam_sss.8.xml:45
 msgid ""
 "<command>pam_sss.so</command> is the PAM interface to the System Security "
 "Services daemon (SSSD). Errors and results are logged through <command>syslog"
@@ -3120,24 +3154,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:52
+#: pam_sss.8.xml:55
+msgid "<option>quiet</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:58
+msgid "Suppress log messages for unknown users."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:63
 msgid "<option>forward_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:55
+#: pam_sss.8.xml:66
 msgid ""
 "If <option>forward_pass</option> is set the entered password is put on the "
 "stack for other PAM modules to use."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:62
+#: pam_sss.8.xml:73
 msgid "<option>use_first_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:65
+#: pam_sss.8.xml:76
 msgid ""
 "The argument use_first_pass forces the module to use a previous stacked "
 "modules password and will never prompt the user - if no password is "
@@ -3145,31 +3189,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:73
+#: pam_sss.8.xml:84
 msgid "<option>use_authtok</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:76
+#: pam_sss.8.xml:87
 msgid ""
 "When password changing enforce the module to set the new password to the one "
 "provided by a previously stacked password module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:83
+#: pam_sss.8.xml:94
 msgid "<option>retry=N</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:86
+#: pam_sss.8.xml:97
 msgid ""
 "If specified the user is asked another N times for a password if "
 "authentication fails. Default is 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:88
+#: pam_sss.8.xml:99
 msgid ""
 "Please note that this option might not work as expected if the application "
 "calling PAM handles the user dialog on its own. A typical example is "
@@ -3177,24 +3221,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:99
+#: pam_sss.8.xml:110
 msgid "MODULE TYPES PROVIDED"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:100
+#: pam_sss.8.xml:111
 msgid ""
 "All module types (<option>account</option>, <option>auth</option>, "
 "<option>password</option> and <option>session</option>) are provided."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:106
+#: pam_sss.8.xml:117
 msgid "FILES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:107
+#: pam_sss.8.xml:118
 msgid ""
 "If a password reset by root fails, because the corresponding SSSD provider "
 "does not support password resets, an individual message can be displayed. "
@@ -3202,7 +3246,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:112
+#: pam_sss.8.xml:123
 msgid ""
 "The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
 "filename> where LOC stands for a locale string returned by <citerefentry> "
@@ -3214,7 +3258,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:122
+#: pam_sss.8.xml:133
 msgid ""
 "These files are searched in the directory <filename>/etc/sssd/customize/"
 "DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
@@ -3222,7 +3266,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:130
+#: pam_sss.8.xml:141
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>8</"
 "manvolnum> </citerefentry>"
@@ -3482,11 +3526,11 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ipa.5.xml:83
 msgid ""
-"The list of IP addresses or hostnames of the IPA servers to which SSSD "
-"should connect in the order of preference. For more information on failover "
-"and server redundancy, see the <quote>FAILOVER</quote> section.  This is "
-"optional if autodiscovery is enabled.  For more information on service "
-"discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
+"The comma-separated list of IP addresses or hostnames of the IPA servers to "
+"which SSSD should connect in the order of preference. For more information "
+"on failover and server redundancy, see the <quote>FAILOVER</quote> section.  "
+"This is optional if autodiscovery is enabled.  For more information on "
+"service discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
@@ -4302,48 +4346,50 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:262
 msgid ""
-"Please note that this feature currently only available on a Linux platform."
+"Please note that this feature currently only available on a Linux platform. "
+"Passwords stored in this way are kept in plaintext in the kernel keyring and "
+"are potentially accessible by the root user (with difficulty)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:272
+#: sssd-krb5.5.xml:275
 msgid "krb5_renewable_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:275
+#: sssd-krb5.5.xml:278
 msgid ""
 "Request a renewable ticket with a total lifetime given by an integer "
 "immediately followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:280 sssd-krb5.5.xml:316
+#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
 msgid "<emphasis>s</emphasis> seconds"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
+#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
 msgid "<emphasis>m</emphasis> minutes"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
+#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
 msgid "<emphasis>h</emphasis> hours"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
+#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
 msgid "<emphasis>d</emphasis> days."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
+#: sssd-krb5.5.xml:295 sssd-krb5.5.xml:331
 msgid "If there is no delimiter <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:296
+#: sssd-krb5.5.xml:299
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "renewable lifetime to one and a half hours please use '90m' instead of "
@@ -4351,97 +4397,97 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:302
+#: sssd-krb5.5.xml:305
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:308
+#: sssd-krb5.5.xml:311
 msgid "krb5_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:311
+#: sssd-krb5.5.xml:314
 msgid ""
 "Request ticket with a with a lifetime given by an integer immediately "
 "followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:332
+#: sssd-krb5.5.xml:335
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "lifetime to one and a half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:337
+#: sssd-krb5.5.xml:340
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:344
+#: sssd-krb5.5.xml:347
 msgid "krb5_renew_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:347
+#: sssd-krb5.5.xml:350
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:352
+#: sssd-krb5.5.xml:355
 msgid "If this option is not set or 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:362
+#: sssd-krb5.5.xml:365
 msgid "krb5_use_fast (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:365
+#: sssd-krb5.5.xml:368
 msgid ""
 "Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
 "authentication. The following options are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:370
+#: sssd-krb5.5.xml:373
 msgid ""
 "<emphasis>never</emphasis> use FAST, this is equivalent to not set this "
 "option at all."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:374
+#: sssd-krb5.5.xml:377
 msgid ""
 "<emphasis>try</emphasis> to use FAST, if the server does not support fast "
 "continue without."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:378
+#: sssd-krb5.5.xml:381
 msgid ""
 "<emphasis>demand</emphasis> to use FAST, fail if the server does not require "
 "fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:382
+#: sssd-krb5.5.xml:385
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:385
+#: sssd-krb5.5.xml:388
 msgid "Please note that a keytab is required to use fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:388
+#: sssd-krb5.5.xml:391
 msgid ""
 "Please note also that sssd supports fast only with MIT Kerberos version 1.8 "
 "and above. If sssd used used with an older version using this option is a "
@@ -4459,7 +4505,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:407
+#: sssd-krb5.5.xml:410
 msgid ""
 "The following example assumes that SSSD is correctly configured and FOO is "
 "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
@@ -4468,7 +4514,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-krb5.5.xml:415
+#: sssd-krb5.5.xml:418
 #, no-wrap
 msgid ""
 "    [domain/FOO]\n"
@@ -4478,7 +4524,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:426
+#: sssd-krb5.5.xml:429
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
diff --git a/src/man/po/hi.po b/src/man/po/hi.po
index 1eee4cff..c38aec9c 100644
--- a/src/man/po/hi.po
+++ b/src/man/po/hi.po
@@ -2,12 +2,13 @@
 # Copyright (C) YEAR Red Hat
 # This file is distributed under the same license as the sssd-docs package.
 #
+# Translators:
 msgid ""
 msgstr ""
 "Project-Id-Version: SSSD\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2011-08-29 10:42-0300\n"
-"PO-Revision-Date: 2011-08-05 11:39+0000\n"
+"POT-Creation-Date: 2011-10-18 13:34-0300\n"
+"PO-Revision-Date: 2010-12-23 15:35+0000\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Hindi <indlinux-hindi@lists.sourceforge.net>\n"
 "Language: hi\n"
@@ -52,7 +53,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:41
+#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:44
 #: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21
 #: sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_useradd.8.xml:30
 #: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30
@@ -68,7 +69,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:39 pam_sss.8.xml:48 sssd.8.xml:42 sss_obfuscate.8.xml:58
+#: sss_groupmod.8.xml:39 pam_sss.8.xml:51 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
 msgid "OPTIONS"
@@ -104,10 +105,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1106 sssd-ldap.5.xml:1432
-#: pam_sss.8.xml:128 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
+#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1130 sssd-ldap.5.xml:1432
+#: pam_sss.8.xml:139 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
 #: sssd-ipa.5.xml:248 sssd.8.xml:166 sss_obfuscate.8.xml:103
-#: sss_useradd.8.xml:167 sssd-krb5.5.xml:424 sss_groupadd.8.xml:58
+#: sss_useradd.8.xml:167 sssd-krb5.5.xml:427 sss_groupadd.8.xml:58
 #: sss_userdel.8.xml:93 sss_groupdel.8.xml:46 sss_groupshow.8.xml:58
 #: sss_usermod.8.xml:138
 msgid "SEE ALSO"
@@ -213,7 +214,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:70 sssd.conf.5.xml:952
+#: sssd.conf.5.xml:70 sssd.conf.5.xml:976
 msgid "Section parameters"
 msgstr ""
 
@@ -246,19 +247,19 @@ msgid "Supported services: nss, pam"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:93 sssd.conf.5.xml:234
+#: sssd.conf.5.xml:93 sssd.conf.5.xml:254
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:96 sssd.conf.5.xml:237
+#: sssd.conf.5.xml:96 sssd.conf.5.xml:257
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:101 sssd.conf.5.xml:242
+#: sssd.conf.5.xml:101 sssd.conf.5.xml:262
 msgid "Default: 3"
 msgstr ""
 
@@ -365,6 +366,32 @@ msgid ""
 "unavailable. On these platforms, polling will always be used."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:189
+msgid "krb5_rcache_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:192
+msgid ""
+"Directory on the filesystem where SSSD should store Kerberos replay cache "
+"files."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:196
+msgid ""
+"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
+"SSSD to let libkrb5 decide the appropriate location for the replay cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:202
+msgid ""
+"Default: Distribution-specific and specified at build-time. "
+"(__LIBKRB5_DEFAULTS__ if not configured)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:63
 msgid ""
@@ -377,12 +404,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:195
+#: sssd.conf.5.xml:215
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:197
+#: sssd.conf.5.xml:217
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -391,55 +418,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:204
+#: sssd.conf.5.xml:224
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:206
+#: sssd.conf.5.xml:226
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:210
+#: sssd.conf.5.xml:230
 msgid "debug_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:213
+#: sssd.conf.5.xml:233
 msgid ""
 "Sets the debug level for the service. The value can be in range from 0 (only "
 "critical messages) to 10 (very verbose)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:218 sssd.conf.5.xml:312
+#: sssd.conf.5.xml:238 sssd.conf.5.xml:332
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:223 sssd.8.xml:58
+#: sssd.conf.5.xml:243 sssd.8.xml:58
 msgid "debug_timestamps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:226 sssd.8.xml:61
+#: sssd.conf.5.xml:246 sssd.8.xml:61
 msgid "Add a timestamp to the debug messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:229 sssd.conf.5.xml:353 sssd-ldap.5.xml:1058
+#: sssd.conf.5.xml:249 sssd.conf.5.xml:373 sssd-ldap.5.xml:1058
 #: sssd-ldap.5.xml:1163 sssd-ipa.5.xml:155
 msgid "Default: true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:247
+#: sssd.conf.5.xml:267
 msgid "command (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:250
+#: sssd.conf.5.xml:270
 msgid ""
 "By default, the executable representing this service is called <command>sssd_"
 "${service_name}</command>.  This directive allows to change the executable "
@@ -448,45 +475,45 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:258
+#: sssd.conf.5.xml:278
 msgid "Default: <command>sssd_${service_name}</command>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:266
+#: sssd.conf.5.xml:286
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:268
+#: sssd.conf.5.xml:288
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:273
+#: sssd.conf.5.xml:293
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:276
+#: sssd.conf.5.xml:296
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:280
+#: sssd.conf.5.xml:300
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:285
+#: sssd.conf.5.xml:305
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:288
+#: sssd.conf.5.xml:308
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -494,7 +521,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:294
+#: sssd.conf.5.xml:314
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -504,7 +531,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304
+#: sssd.conf.5.xml:324
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -513,12 +540,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:317
+#: sssd.conf.5.xml:337
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:320
+#: sssd.conf.5.xml:340
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -526,17 +553,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:326 sssd-krb5.5.xml:223
+#: sssd.conf.5.xml:346 sssd-krb5.5.xml:223
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:331
+#: sssd.conf.5.xml:351
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:334
+#: sssd.conf.5.xml:354
 msgid ""
 "Exclude certain users from being fetched from the sss NSS database. This is "
 "particularly useful for system accounts. This option can also be set per-"
@@ -545,78 +572,78 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:341
+#: sssd.conf.5.xml:361
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:346
+#: sssd.conf.5.xml:366
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:369
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:358
+#: sssd.conf.5.xml:378
 msgid "override_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:367 sssd-krb5.5.xml:166
+#: sssd.conf.5.xml:387 sssd-krb5.5.xml:166
 msgid "%u"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:368 sssd-krb5.5.xml:167
+#: sssd.conf.5.xml:388 sssd-krb5.5.xml:167
 msgid "login name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:371 sssd-krb5.5.xml:170
+#: sssd.conf.5.xml:391 sssd-krb5.5.xml:170
 msgid "%U"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:392
 msgid "UID number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:375 sssd-krb5.5.xml:188
+#: sssd.conf.5.xml:395 sssd-krb5.5.xml:188
 msgid "%d"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:376
+#: sssd.conf.5.xml:396
 msgid "domain name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:379
+#: sssd.conf.5.xml:399
 msgid "%f"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:380
+#: sssd.conf.5.xml:400
 msgid "fully qualified user name (user@domain)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:383 sssd-krb5.5.xml:200
+#: sssd.conf.5.xml:403 sssd-krb5.5.xml:200
 msgid "%%"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:384 sssd-krb5.5.xml:201
+#: sssd.conf.5.xml:404 sssd-krb5.5.xml:201
 msgid "a literal '%'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:361
+#: sssd.conf.5.xml:381
 msgid ""
 "Override the user's home directory. You can either provide an absolute value "
 "or a template. In the template, the following sequences are substituted: "
@@ -624,138 +651,138 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:390
+#: sssd.conf.5.xml:410
 msgid "This option can also be set per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:395
+#: sssd.conf.5.xml:415
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:398
+#: sssd.conf.5.xml:418
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:401
+#: sssd.conf.5.xml:421
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:405
+#: sssd.conf.5.xml:425
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:410
+#: sssd.conf.5.xml:430
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:415
+#: sssd.conf.5.xml:435
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:418
+#: sssd.conf.5.xml:438
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:422
+#: sssd.conf.5.xml:442
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:427
+#: sssd.conf.5.xml:447
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:430
+#: sssd.conf.5.xml:450
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:435
+#: sssd.conf.5.xml:455
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:438
+#: sssd.conf.5.xml:458
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:442
+#: sssd.conf.5.xml:462
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:469
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:451
+#: sssd.conf.5.xml:471
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:456
+#: sssd.conf.5.xml:476
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:459
+#: sssd.conf.5.xml:479
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:464 sssd.conf.5.xml:477
+#: sssd.conf.5.xml:484 sssd.conf.5.xml:497
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:490
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:473
+#: sssd.conf.5.xml:493
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:483
+#: sssd.conf.5.xml:503
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:506
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:491
+#: sssd.conf.5.xml:511
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -763,59 +790,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:497 sssd.conf.5.xml:550 sssd.conf.5.xml:882
+#: sssd.conf.5.xml:517 sssd.conf.5.xml:570 sssd.conf.5.xml:906
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:523
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:506
+#: sssd.conf.5.xml:526
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:511
+#: sssd.conf.5.xml:531
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:514
+#: sssd.conf.5.xml:534
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:517
+#: sssd.conf.5.xml:537
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:541
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:524
+#: sssd.conf.5.xml:544
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:528
+#: sssd.conf.5.xml:548
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:533
+#: sssd.conf.5.xml:553
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:536
+#: sssd.conf.5.xml:556
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -823,7 +850,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:542
+#: sssd.conf.5.xml:562
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -832,17 +859,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:556
+#: sssd.conf.5.xml:576
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:559
+#: sssd.conf.5.xml:579
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:562
+#: sssd.conf.5.xml:582
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -850,29 +877,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:588
 msgid "Default: 7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:577
+#: sssd.conf.5.xml:597
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:584
+#: sssd.conf.5.xml:604
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:587
+#: sssd.conf.5.xml:607
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:592
+#: sssd.conf.5.xml:612
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -881,56 +908,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:599
+#: sssd.conf.5.xml:619
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:625
 msgid "timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:608
+#: sssd.conf.5.xml:628
 msgid ""
 "Timeout in seconds between heartbeats for this domain.  This is used to "
 "ensure that the backend process is alive and capable of answering requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:633
 msgid "Default: 10"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:639
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:642
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:626
+#: sssd.conf.5.xml:646
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:629
+#: sssd.conf.5.xml:649
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:632 sssd.conf.5.xml:680 sssd.conf.5.xml:734
+#: sssd.conf.5.xml:652 sssd.conf.5.xml:704 sssd.conf.5.xml:758
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:635
+#: sssd.conf.5.xml:655
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -940,14 +967,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:645
+#: sssd.conf.5.xml:665
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:650
+#: sssd.conf.5.xml:670
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -956,39 +983,44 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:661
+#: sssd.conf.5.xml:681
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:664
+#: sssd.conf.5.xml:684
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:688
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:693
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676
+#: sssd.conf.5.xml:696
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:700
+msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:685
+#: sssd.conf.5.xml:709
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:688
+#: sssd.conf.5.xml:712
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -997,47 +1029,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:695
+#: sssd.conf.5.xml:719
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:725
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:728
 msgid "The Data Provider identity backend to use for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:708
+#: sssd.conf.5.xml:732
 msgid "Supported backends:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:711
+#: sssd.conf.5.xml:735
 msgid "proxy: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:714
+#: sssd.conf.5.xml:738
 msgid "local: SSSD internal local provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:717
+#: sssd.conf.5.xml:741
 msgid "ldap: LDAP provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:747
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:750
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -1046,19 +1078,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:739
+#: sssd.conf.5.xml:763
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:766
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:746
+#: sssd.conf.5.xml:770
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1066,7 +1098,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:777
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1074,30 +1106,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:784
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:787
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:766
+#: sssd.conf.5.xml:790
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:796
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:775
+#: sssd.conf.5.xml:799
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -1105,17 +1137,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:781
+#: sssd.conf.5.xml:805
 msgid "<quote>permit</quote> always allow access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:784
+#: sssd.conf.5.xml:808
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:811
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -1124,24 +1156,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:818
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:823
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:826
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:831
 msgid ""
 "<quote>ipa</quote> to change a password stored in an IPA server.  See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -1149,7 +1181,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:815
+#: sssd.conf.5.xml:839
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -1157,7 +1189,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:823
+#: sssd.conf.5.xml:847
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1165,72 +1197,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:831
+#: sssd.conf.5.xml:855
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:835
+#: sssd.conf.5.xml:859
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838
+#: sssd.conf.5.xml:862
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:845
+#: sssd.conf.5.xml:869
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:848
+#: sssd.conf.5.xml:872
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:876
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:855
+#: sssd.conf.5.xml:879
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:858
+#: sssd.conf.5.xml:882
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:861
+#: sssd.conf.5.xml:885
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:864
+#: sssd.conf.5.xml:888
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:867
+#: sssd.conf.5.xml:891
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:873
+#: sssd.conf.5.xml:897
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:876
+#: sssd.conf.5.xml:900
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -1238,34 +1270,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:912
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:891
+#: sssd.conf.5.xml:915
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:919
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:901
+#: sssd.conf.5.xml:925
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:904
+#: sssd.conf.5.xml:928
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:579
+#: sssd.conf.5.xml:599
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -1273,29 +1305,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:940
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:943
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:922
+#: sssd.conf.5.xml:946
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:954
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:933
+#: sssd.conf.5.xml:957
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -1303,19 +1335,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:912
+#: sssd.conf.5.xml:936
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:945
+#: sssd.conf.5.xml:969
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:971
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -1323,73 +1355,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:954
+#: sssd.conf.5.xml:978
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:981
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:985
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:966
+#: sssd.conf.5.xml:990
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:969
+#: sssd.conf.5.xml:993
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974
+#: sssd.conf.5.xml:998
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1003
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1006
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986 sssd.conf.5.xml:998
+#: sssd.conf.5.xml:1010 sssd.conf.5.xml:1022
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:991
+#: sssd.conf.5.xml:1015
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:994
+#: sssd.conf.5.xml:1018
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1003
+#: sssd.conf.5.xml:1027
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1030
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -1397,17 +1429,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014
+#: sssd.conf.5.xml:1038
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1043
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1022
+#: sssd.conf.5.xml:1046
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -1416,17 +1448,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:1056
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1037
+#: sssd.conf.5.xml:1061
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1040
+#: sssd.conf.5.xml:1064
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -1434,17 +1466,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1047
+#: sssd.conf.5.xml:1071
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1076
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1055
+#: sssd.conf.5.xml:1079
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -1452,18 +1484,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1061
+#: sssd.conf.5.xml:1085
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1071 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
-#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:405
+#: sssd.conf.5.xml:1095 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
+#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:408
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:1077
+#: sssd.conf.5.xml:1101
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -1493,7 +1525,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1073
+#: sssd.conf.5.xml:1097
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -1502,7 +1534,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1108
+#: sssd.conf.5.xml:1132
 msgid ""
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
@@ -1602,10 +1634,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:88
 msgid ""
-"Specifies the list of URIs of the LDAP servers to which SSSD should connect "
-"in the order of preference to change the password of a user. Refer to the "
-"<quote>FAILOVER</quote> section for more information on failover and server "
-"redundancy."
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference to change the password of a user. "
+"Refer to the <quote>FAILOVER</quote> section for more information on "
+"failover and server redundancy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -2085,7 +2117,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:519 sssd-ldap.5.xml:990 sssd-ipa.5.xml:115 sssd.8.xml:64
-#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:266
+#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:269
 msgid "Default: false"
 msgstr ""
 
@@ -2526,7 +2558,7 @@ msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:356
+#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:359
 msgid "Default: not set"
 msgstr ""
 
@@ -2667,12 +2699,13 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:1080 sssd-krb5.5.xml:77
 msgid ""
-"Specifies the list of IP addresses or hostnames of the Kerberos servers to "
-"which SSSD should connect in the order of preference. For more information "
-"on failover and server redundancy, see the <quote>FAILOVER</quote> section. "
-"An optional port number (preceded by a colon) may be appended to the "
-"addresses or hostnames.  If empty, service discovery is enabled - for more "
-"information, refer to the <quote>SERVICE DISCOVERY</quote> section."
+"Specifies the comma-separated list of IP addresses or hostnames of the "
+"Kerberos servers to which SSSD should connect in the order of preference. "
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
+"colon) may be appended to the addresses or hostnames.  If empty, service "
+"discovery is enabled - for more information, refer to the <quote>SERVICE "
+"DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -3057,7 +3090,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ldap.5.xml:1407 sssd-simple.5.xml:134 sssd-ipa.5.xml:238
-#: sssd-krb5.5.xml:414
+#: sssd-krb5.5.xml:417
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -3104,7 +3137,8 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
 #: pam_sss.8.xml:24
 msgid ""
-"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>forward_pass</"
+"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
@@ -3112,7 +3146,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:42
+#: pam_sss.8.xml:45
 msgid ""
 "<command>pam_sss.so</command> is the PAM interface to the System Security "
 "Services daemon (SSSD). Errors and results are logged through <command>syslog"
@@ -3120,24 +3154,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:52
+#: pam_sss.8.xml:55
+msgid "<option>quiet</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:58
+msgid "Suppress log messages for unknown users."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:63
 msgid "<option>forward_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:55
+#: pam_sss.8.xml:66
 msgid ""
 "If <option>forward_pass</option> is set the entered password is put on the "
 "stack for other PAM modules to use."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:62
+#: pam_sss.8.xml:73
 msgid "<option>use_first_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:65
+#: pam_sss.8.xml:76
 msgid ""
 "The argument use_first_pass forces the module to use a previous stacked "
 "modules password and will never prompt the user - if no password is "
@@ -3145,31 +3189,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:73
+#: pam_sss.8.xml:84
 msgid "<option>use_authtok</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:76
+#: pam_sss.8.xml:87
 msgid ""
 "When password changing enforce the module to set the new password to the one "
 "provided by a previously stacked password module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:83
+#: pam_sss.8.xml:94
 msgid "<option>retry=N</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:86
+#: pam_sss.8.xml:97
 msgid ""
 "If specified the user is asked another N times for a password if "
 "authentication fails. Default is 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:88
+#: pam_sss.8.xml:99
 msgid ""
 "Please note that this option might not work as expected if the application "
 "calling PAM handles the user dialog on its own. A typical example is "
@@ -3177,24 +3221,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:99
+#: pam_sss.8.xml:110
 msgid "MODULE TYPES PROVIDED"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:100
+#: pam_sss.8.xml:111
 msgid ""
 "All module types (<option>account</option>, <option>auth</option>, "
 "<option>password</option> and <option>session</option>) are provided."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:106
+#: pam_sss.8.xml:117
 msgid "FILES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:107
+#: pam_sss.8.xml:118
 msgid ""
 "If a password reset by root fails, because the corresponding SSSD provider "
 "does not support password resets, an individual message can be displayed. "
@@ -3202,7 +3246,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:112
+#: pam_sss.8.xml:123
 msgid ""
 "The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
 "filename> where LOC stands for a locale string returned by <citerefentry> "
@@ -3214,7 +3258,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:122
+#: pam_sss.8.xml:133
 msgid ""
 "These files are searched in the directory <filename>/etc/sssd/customize/"
 "DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
@@ -3222,7 +3266,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:130
+#: pam_sss.8.xml:141
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>8</"
 "manvolnum> </citerefentry>"
@@ -3482,11 +3526,11 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ipa.5.xml:83
 msgid ""
-"The list of IP addresses or hostnames of the IPA servers to which SSSD "
-"should connect in the order of preference. For more information on failover "
-"and server redundancy, see the <quote>FAILOVER</quote> section.  This is "
-"optional if autodiscovery is enabled.  For more information on service "
-"discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
+"The comma-separated list of IP addresses or hostnames of the IPA servers to "
+"which SSSD should connect in the order of preference. For more information "
+"on failover and server redundancy, see the <quote>FAILOVER</quote> section.  "
+"This is optional if autodiscovery is enabled.  For more information on "
+"service discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
@@ -4302,48 +4346,50 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:262
 msgid ""
-"Please note that this feature currently only available on a Linux platform."
+"Please note that this feature currently only available on a Linux platform. "
+"Passwords stored in this way are kept in plaintext in the kernel keyring and "
+"are potentially accessible by the root user (with difficulty)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:272
+#: sssd-krb5.5.xml:275
 msgid "krb5_renewable_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:275
+#: sssd-krb5.5.xml:278
 msgid ""
 "Request a renewable ticket with a total lifetime given by an integer "
 "immediately followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:280 sssd-krb5.5.xml:316
+#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
 msgid "<emphasis>s</emphasis> seconds"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
+#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
 msgid "<emphasis>m</emphasis> minutes"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
+#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
 msgid "<emphasis>h</emphasis> hours"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
+#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
 msgid "<emphasis>d</emphasis> days."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
+#: sssd-krb5.5.xml:295 sssd-krb5.5.xml:331
 msgid "If there is no delimiter <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:296
+#: sssd-krb5.5.xml:299
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "renewable lifetime to one and a half hours please use '90m' instead of "
@@ -4351,97 +4397,97 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:302
+#: sssd-krb5.5.xml:305
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:308
+#: sssd-krb5.5.xml:311
 msgid "krb5_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:311
+#: sssd-krb5.5.xml:314
 msgid ""
 "Request ticket with a with a lifetime given by an integer immediately "
 "followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:332
+#: sssd-krb5.5.xml:335
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "lifetime to one and a half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:337
+#: sssd-krb5.5.xml:340
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:344
+#: sssd-krb5.5.xml:347
 msgid "krb5_renew_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:347
+#: sssd-krb5.5.xml:350
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:352
+#: sssd-krb5.5.xml:355
 msgid "If this option is not set or 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:362
+#: sssd-krb5.5.xml:365
 msgid "krb5_use_fast (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:365
+#: sssd-krb5.5.xml:368
 msgid ""
 "Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
 "authentication. The following options are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:370
+#: sssd-krb5.5.xml:373
 msgid ""
 "<emphasis>never</emphasis> use FAST, this is equivalent to not set this "
 "option at all."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:374
+#: sssd-krb5.5.xml:377
 msgid ""
 "<emphasis>try</emphasis> to use FAST, if the server does not support fast "
 "continue without."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:378
+#: sssd-krb5.5.xml:381
 msgid ""
 "<emphasis>demand</emphasis> to use FAST, fail if the server does not require "
 "fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:382
+#: sssd-krb5.5.xml:385
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:385
+#: sssd-krb5.5.xml:388
 msgid "Please note that a keytab is required to use fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:388
+#: sssd-krb5.5.xml:391
 msgid ""
 "Please note also that sssd supports fast only with MIT Kerberos version 1.8 "
 "and above. If sssd used used with an older version using this option is a "
@@ -4459,7 +4505,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:407
+#: sssd-krb5.5.xml:410
 msgid ""
 "The following example assumes that SSSD is correctly configured and FOO is "
 "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
@@ -4468,7 +4514,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-krb5.5.xml:415
+#: sssd-krb5.5.xml:418
 #, no-wrap
 msgid ""
 "    [domain/FOO]\n"
@@ -4478,7 +4524,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:426
+#: sssd-krb5.5.xml:429
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
diff --git a/src/man/po/hu.po b/src/man/po/hu.po
index fff1d8e5..c23c029a 100644
--- a/src/man/po/hu.po
+++ b/src/man/po/hu.po
@@ -6,7 +6,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: SSSD\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2011-08-29 10:42-0300\n"
+"POT-Creation-Date: 2011-10-18 13:34-0300\n"
 "PO-Revision-Date: 2011-08-05 11:39+0000\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Hungarian <trans-hu@lists.fedoraproject.org>\n"
@@ -52,7 +52,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:41
+#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:44
 #: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21
 #: sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_useradd.8.xml:30
 #: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30
@@ -68,7 +68,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:39 pam_sss.8.xml:48 sssd.8.xml:42 sss_obfuscate.8.xml:58
+#: sss_groupmod.8.xml:39 pam_sss.8.xml:51 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
 msgid "OPTIONS"
@@ -104,10 +104,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1106 sssd-ldap.5.xml:1432
-#: pam_sss.8.xml:128 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
+#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1130 sssd-ldap.5.xml:1432
+#: pam_sss.8.xml:139 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
 #: sssd-ipa.5.xml:248 sssd.8.xml:166 sss_obfuscate.8.xml:103
-#: sss_useradd.8.xml:167 sssd-krb5.5.xml:424 sss_groupadd.8.xml:58
+#: sss_useradd.8.xml:167 sssd-krb5.5.xml:427 sss_groupadd.8.xml:58
 #: sss_userdel.8.xml:93 sss_groupdel.8.xml:46 sss_groupshow.8.xml:58
 #: sss_usermod.8.xml:138
 msgid "SEE ALSO"
@@ -213,7 +213,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:70 sssd.conf.5.xml:952
+#: sssd.conf.5.xml:70 sssd.conf.5.xml:976
 msgid "Section parameters"
 msgstr ""
 
@@ -246,19 +246,19 @@ msgid "Supported services: nss, pam"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:93 sssd.conf.5.xml:234
+#: sssd.conf.5.xml:93 sssd.conf.5.xml:254
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:96 sssd.conf.5.xml:237
+#: sssd.conf.5.xml:96 sssd.conf.5.xml:257
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:101 sssd.conf.5.xml:242
+#: sssd.conf.5.xml:101 sssd.conf.5.xml:262
 msgid "Default: 3"
 msgstr ""
 
@@ -365,6 +365,32 @@ msgid ""
 "unavailable. On these platforms, polling will always be used."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:189
+msgid "krb5_rcache_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:192
+msgid ""
+"Directory on the filesystem where SSSD should store Kerberos replay cache "
+"files."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:196
+msgid ""
+"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
+"SSSD to let libkrb5 decide the appropriate location for the replay cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:202
+msgid ""
+"Default: Distribution-specific and specified at build-time. "
+"(__LIBKRB5_DEFAULTS__ if not configured)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:63
 msgid ""
@@ -377,12 +403,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:195
+#: sssd.conf.5.xml:215
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:197
+#: sssd.conf.5.xml:217
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -391,55 +417,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:204
+#: sssd.conf.5.xml:224
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:206
+#: sssd.conf.5.xml:226
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:210
+#: sssd.conf.5.xml:230
 msgid "debug_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:213
+#: sssd.conf.5.xml:233
 msgid ""
 "Sets the debug level for the service. The value can be in range from 0 (only "
 "critical messages) to 10 (very verbose)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:218 sssd.conf.5.xml:312
+#: sssd.conf.5.xml:238 sssd.conf.5.xml:332
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:223 sssd.8.xml:58
+#: sssd.conf.5.xml:243 sssd.8.xml:58
 msgid "debug_timestamps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:226 sssd.8.xml:61
+#: sssd.conf.5.xml:246 sssd.8.xml:61
 msgid "Add a timestamp to the debug messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:229 sssd.conf.5.xml:353 sssd-ldap.5.xml:1058
+#: sssd.conf.5.xml:249 sssd.conf.5.xml:373 sssd-ldap.5.xml:1058
 #: sssd-ldap.5.xml:1163 sssd-ipa.5.xml:155
 msgid "Default: true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:247
+#: sssd.conf.5.xml:267
 msgid "command (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:250
+#: sssd.conf.5.xml:270
 msgid ""
 "By default, the executable representing this service is called <command>sssd_"
 "${service_name}</command>.  This directive allows to change the executable "
@@ -448,45 +474,45 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:258
+#: sssd.conf.5.xml:278
 msgid "Default: <command>sssd_${service_name}</command>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:266
+#: sssd.conf.5.xml:286
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:268
+#: sssd.conf.5.xml:288
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:273
+#: sssd.conf.5.xml:293
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:276
+#: sssd.conf.5.xml:296
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:280
+#: sssd.conf.5.xml:300
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:285
+#: sssd.conf.5.xml:305
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:288
+#: sssd.conf.5.xml:308
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -494,7 +520,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:294
+#: sssd.conf.5.xml:314
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -504,7 +530,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304
+#: sssd.conf.5.xml:324
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -513,12 +539,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:317
+#: sssd.conf.5.xml:337
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:320
+#: sssd.conf.5.xml:340
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -526,17 +552,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:326 sssd-krb5.5.xml:223
+#: sssd.conf.5.xml:346 sssd-krb5.5.xml:223
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:331
+#: sssd.conf.5.xml:351
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:334
+#: sssd.conf.5.xml:354
 msgid ""
 "Exclude certain users from being fetched from the sss NSS database. This is "
 "particularly useful for system accounts. This option can also be set per-"
@@ -545,78 +571,78 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:341
+#: sssd.conf.5.xml:361
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:346
+#: sssd.conf.5.xml:366
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:369
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:358
+#: sssd.conf.5.xml:378
 msgid "override_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:367 sssd-krb5.5.xml:166
+#: sssd.conf.5.xml:387 sssd-krb5.5.xml:166
 msgid "%u"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:368 sssd-krb5.5.xml:167
+#: sssd.conf.5.xml:388 sssd-krb5.5.xml:167
 msgid "login name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:371 sssd-krb5.5.xml:170
+#: sssd.conf.5.xml:391 sssd-krb5.5.xml:170
 msgid "%U"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:392
 msgid "UID number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:375 sssd-krb5.5.xml:188
+#: sssd.conf.5.xml:395 sssd-krb5.5.xml:188
 msgid "%d"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:376
+#: sssd.conf.5.xml:396
 msgid "domain name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:379
+#: sssd.conf.5.xml:399
 msgid "%f"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:380
+#: sssd.conf.5.xml:400
 msgid "fully qualified user name (user@domain)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:383 sssd-krb5.5.xml:200
+#: sssd.conf.5.xml:403 sssd-krb5.5.xml:200
 msgid "%%"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:384 sssd-krb5.5.xml:201
+#: sssd.conf.5.xml:404 sssd-krb5.5.xml:201
 msgid "a literal '%'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:361
+#: sssd.conf.5.xml:381
 msgid ""
 "Override the user's home directory. You can either provide an absolute value "
 "or a template. In the template, the following sequences are substituted: "
@@ -624,138 +650,138 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:390
+#: sssd.conf.5.xml:410
 msgid "This option can also be set per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:395
+#: sssd.conf.5.xml:415
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:398
+#: sssd.conf.5.xml:418
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:401
+#: sssd.conf.5.xml:421
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:405
+#: sssd.conf.5.xml:425
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:410
+#: sssd.conf.5.xml:430
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:415
+#: sssd.conf.5.xml:435
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:418
+#: sssd.conf.5.xml:438
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:422
+#: sssd.conf.5.xml:442
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:427
+#: sssd.conf.5.xml:447
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:430
+#: sssd.conf.5.xml:450
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:435
+#: sssd.conf.5.xml:455
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:438
+#: sssd.conf.5.xml:458
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:442
+#: sssd.conf.5.xml:462
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:469
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:451
+#: sssd.conf.5.xml:471
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:456
+#: sssd.conf.5.xml:476
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:459
+#: sssd.conf.5.xml:479
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:464 sssd.conf.5.xml:477
+#: sssd.conf.5.xml:484 sssd.conf.5.xml:497
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:490
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:473
+#: sssd.conf.5.xml:493
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:483
+#: sssd.conf.5.xml:503
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:506
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:491
+#: sssd.conf.5.xml:511
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -763,59 +789,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:497 sssd.conf.5.xml:550 sssd.conf.5.xml:882
+#: sssd.conf.5.xml:517 sssd.conf.5.xml:570 sssd.conf.5.xml:906
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:523
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:506
+#: sssd.conf.5.xml:526
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:511
+#: sssd.conf.5.xml:531
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:514
+#: sssd.conf.5.xml:534
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:517
+#: sssd.conf.5.xml:537
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:541
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:524
+#: sssd.conf.5.xml:544
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:528
+#: sssd.conf.5.xml:548
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:533
+#: sssd.conf.5.xml:553
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:536
+#: sssd.conf.5.xml:556
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -823,7 +849,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:542
+#: sssd.conf.5.xml:562
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -832,17 +858,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:556
+#: sssd.conf.5.xml:576
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:559
+#: sssd.conf.5.xml:579
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:562
+#: sssd.conf.5.xml:582
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -850,29 +876,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:588
 msgid "Default: 7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:577
+#: sssd.conf.5.xml:597
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:584
+#: sssd.conf.5.xml:604
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:587
+#: sssd.conf.5.xml:607
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:592
+#: sssd.conf.5.xml:612
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -881,56 +907,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:599
+#: sssd.conf.5.xml:619
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:625
 msgid "timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:608
+#: sssd.conf.5.xml:628
 msgid ""
 "Timeout in seconds between heartbeats for this domain.  This is used to "
 "ensure that the backend process is alive and capable of answering requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:633
 msgid "Default: 10"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:639
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:642
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:626
+#: sssd.conf.5.xml:646
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:629
+#: sssd.conf.5.xml:649
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:632 sssd.conf.5.xml:680 sssd.conf.5.xml:734
+#: sssd.conf.5.xml:652 sssd.conf.5.xml:704 sssd.conf.5.xml:758
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:635
+#: sssd.conf.5.xml:655
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -940,14 +966,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:645
+#: sssd.conf.5.xml:665
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:650
+#: sssd.conf.5.xml:670
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -956,39 +982,44 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:661
+#: sssd.conf.5.xml:681
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:664
+#: sssd.conf.5.xml:684
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:688
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:693
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676
+#: sssd.conf.5.xml:696
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:700
+msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:685
+#: sssd.conf.5.xml:709
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:688
+#: sssd.conf.5.xml:712
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -997,47 +1028,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:695
+#: sssd.conf.5.xml:719
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:725
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:728
 msgid "The Data Provider identity backend to use for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:708
+#: sssd.conf.5.xml:732
 msgid "Supported backends:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:711
+#: sssd.conf.5.xml:735
 msgid "proxy: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:714
+#: sssd.conf.5.xml:738
 msgid "local: SSSD internal local provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:717
+#: sssd.conf.5.xml:741
 msgid "ldap: LDAP provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:747
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:750
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -1046,19 +1077,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:739
+#: sssd.conf.5.xml:763
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:766
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:746
+#: sssd.conf.5.xml:770
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1066,7 +1097,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:777
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1074,30 +1105,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:784
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:787
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:766
+#: sssd.conf.5.xml:790
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:796
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:775
+#: sssd.conf.5.xml:799
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -1105,17 +1136,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:781
+#: sssd.conf.5.xml:805
 msgid "<quote>permit</quote> always allow access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:784
+#: sssd.conf.5.xml:808
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:811
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -1124,24 +1155,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:818
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:823
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:826
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:831
 msgid ""
 "<quote>ipa</quote> to change a password stored in an IPA server.  See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -1149,7 +1180,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:815
+#: sssd.conf.5.xml:839
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -1157,7 +1188,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:823
+#: sssd.conf.5.xml:847
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1165,72 +1196,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:831
+#: sssd.conf.5.xml:855
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:835
+#: sssd.conf.5.xml:859
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838
+#: sssd.conf.5.xml:862
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:845
+#: sssd.conf.5.xml:869
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:848
+#: sssd.conf.5.xml:872
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:876
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:855
+#: sssd.conf.5.xml:879
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:858
+#: sssd.conf.5.xml:882
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:861
+#: sssd.conf.5.xml:885
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:864
+#: sssd.conf.5.xml:888
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:867
+#: sssd.conf.5.xml:891
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:873
+#: sssd.conf.5.xml:897
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:876
+#: sssd.conf.5.xml:900
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -1238,34 +1269,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:912
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:891
+#: sssd.conf.5.xml:915
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:919
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:901
+#: sssd.conf.5.xml:925
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:904
+#: sssd.conf.5.xml:928
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:579
+#: sssd.conf.5.xml:599
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -1273,29 +1304,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:940
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:943
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:922
+#: sssd.conf.5.xml:946
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:954
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:933
+#: sssd.conf.5.xml:957
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -1303,19 +1334,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:912
+#: sssd.conf.5.xml:936
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:945
+#: sssd.conf.5.xml:969
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:971
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -1323,73 +1354,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:954
+#: sssd.conf.5.xml:978
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:981
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:985
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:966
+#: sssd.conf.5.xml:990
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:969
+#: sssd.conf.5.xml:993
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974
+#: sssd.conf.5.xml:998
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1003
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1006
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986 sssd.conf.5.xml:998
+#: sssd.conf.5.xml:1010 sssd.conf.5.xml:1022
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:991
+#: sssd.conf.5.xml:1015
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:994
+#: sssd.conf.5.xml:1018
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1003
+#: sssd.conf.5.xml:1027
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1030
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -1397,17 +1428,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014
+#: sssd.conf.5.xml:1038
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1043
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1022
+#: sssd.conf.5.xml:1046
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -1416,17 +1447,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:1056
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1037
+#: sssd.conf.5.xml:1061
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1040
+#: sssd.conf.5.xml:1064
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -1434,17 +1465,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1047
+#: sssd.conf.5.xml:1071
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1076
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1055
+#: sssd.conf.5.xml:1079
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -1452,18 +1483,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1061
+#: sssd.conf.5.xml:1085
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1071 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
-#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:405
+#: sssd.conf.5.xml:1095 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
+#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:408
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:1077
+#: sssd.conf.5.xml:1101
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -1493,7 +1524,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1073
+#: sssd.conf.5.xml:1097
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -1502,7 +1533,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1108
+#: sssd.conf.5.xml:1132
 msgid ""
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
@@ -1602,10 +1633,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:88
 msgid ""
-"Specifies the list of URIs of the LDAP servers to which SSSD should connect "
-"in the order of preference to change the password of a user. Refer to the "
-"<quote>FAILOVER</quote> section for more information on failover and server "
-"redundancy."
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference to change the password of a user. "
+"Refer to the <quote>FAILOVER</quote> section for more information on "
+"failover and server redundancy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -2085,7 +2116,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:519 sssd-ldap.5.xml:990 sssd-ipa.5.xml:115 sssd.8.xml:64
-#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:266
+#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:269
 msgid "Default: false"
 msgstr ""
 
@@ -2526,7 +2557,7 @@ msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:356
+#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:359
 msgid "Default: not set"
 msgstr ""
 
@@ -2667,12 +2698,13 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:1080 sssd-krb5.5.xml:77
 msgid ""
-"Specifies the list of IP addresses or hostnames of the Kerberos servers to "
-"which SSSD should connect in the order of preference. For more information "
-"on failover and server redundancy, see the <quote>FAILOVER</quote> section. "
-"An optional port number (preceded by a colon) may be appended to the "
-"addresses or hostnames.  If empty, service discovery is enabled - for more "
-"information, refer to the <quote>SERVICE DISCOVERY</quote> section."
+"Specifies the comma-separated list of IP addresses or hostnames of the "
+"Kerberos servers to which SSSD should connect in the order of preference. "
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
+"colon) may be appended to the addresses or hostnames.  If empty, service "
+"discovery is enabled - for more information, refer to the <quote>SERVICE "
+"DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -3057,7 +3089,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ldap.5.xml:1407 sssd-simple.5.xml:134 sssd-ipa.5.xml:238
-#: sssd-krb5.5.xml:414
+#: sssd-krb5.5.xml:417
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -3104,7 +3136,8 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
 #: pam_sss.8.xml:24
 msgid ""
-"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>forward_pass</"
+"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
@@ -3112,7 +3145,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:42
+#: pam_sss.8.xml:45
 msgid ""
 "<command>pam_sss.so</command> is the PAM interface to the System Security "
 "Services daemon (SSSD). Errors and results are logged through <command>syslog"
@@ -3120,24 +3153,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:52
+#: pam_sss.8.xml:55
+msgid "<option>quiet</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:58
+msgid "Suppress log messages for unknown users."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:63
 msgid "<option>forward_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:55
+#: pam_sss.8.xml:66
 msgid ""
 "If <option>forward_pass</option> is set the entered password is put on the "
 "stack for other PAM modules to use."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:62
+#: pam_sss.8.xml:73
 msgid "<option>use_first_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:65
+#: pam_sss.8.xml:76
 msgid ""
 "The argument use_first_pass forces the module to use a previous stacked "
 "modules password and will never prompt the user - if no password is "
@@ -3145,31 +3188,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:73
+#: pam_sss.8.xml:84
 msgid "<option>use_authtok</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:76
+#: pam_sss.8.xml:87
 msgid ""
 "When password changing enforce the module to set the new password to the one "
 "provided by a previously stacked password module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:83
+#: pam_sss.8.xml:94
 msgid "<option>retry=N</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:86
+#: pam_sss.8.xml:97
 msgid ""
 "If specified the user is asked another N times for a password if "
 "authentication fails. Default is 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:88
+#: pam_sss.8.xml:99
 msgid ""
 "Please note that this option might not work as expected if the application "
 "calling PAM handles the user dialog on its own. A typical example is "
@@ -3177,24 +3220,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:99
+#: pam_sss.8.xml:110
 msgid "MODULE TYPES PROVIDED"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:100
+#: pam_sss.8.xml:111
 msgid ""
 "All module types (<option>account</option>, <option>auth</option>, "
 "<option>password</option> and <option>session</option>) are provided."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:106
+#: pam_sss.8.xml:117
 msgid "FILES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:107
+#: pam_sss.8.xml:118
 msgid ""
 "If a password reset by root fails, because the corresponding SSSD provider "
 "does not support password resets, an individual message can be displayed. "
@@ -3202,7 +3245,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:112
+#: pam_sss.8.xml:123
 msgid ""
 "The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
 "filename> where LOC stands for a locale string returned by <citerefentry> "
@@ -3214,7 +3257,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:122
+#: pam_sss.8.xml:133
 msgid ""
 "These files are searched in the directory <filename>/etc/sssd/customize/"
 "DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
@@ -3222,7 +3265,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:130
+#: pam_sss.8.xml:141
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>8</"
 "manvolnum> </citerefentry>"
@@ -3482,11 +3525,11 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ipa.5.xml:83
 msgid ""
-"The list of IP addresses or hostnames of the IPA servers to which SSSD "
-"should connect in the order of preference. For more information on failover "
-"and server redundancy, see the <quote>FAILOVER</quote> section.  This is "
-"optional if autodiscovery is enabled.  For more information on service "
-"discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
+"The comma-separated list of IP addresses or hostnames of the IPA servers to "
+"which SSSD should connect in the order of preference. For more information "
+"on failover and server redundancy, see the <quote>FAILOVER</quote> section.  "
+"This is optional if autodiscovery is enabled.  For more information on "
+"service discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
@@ -4302,48 +4345,50 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:262
 msgid ""
-"Please note that this feature currently only available on a Linux platform."
+"Please note that this feature currently only available on a Linux platform. "
+"Passwords stored in this way are kept in plaintext in the kernel keyring and "
+"are potentially accessible by the root user (with difficulty)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:272
+#: sssd-krb5.5.xml:275
 msgid "krb5_renewable_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:275
+#: sssd-krb5.5.xml:278
 msgid ""
 "Request a renewable ticket with a total lifetime given by an integer "
 "immediately followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:280 sssd-krb5.5.xml:316
+#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
 msgid "<emphasis>s</emphasis> seconds"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
+#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
 msgid "<emphasis>m</emphasis> minutes"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
+#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
 msgid "<emphasis>h</emphasis> hours"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
+#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
 msgid "<emphasis>d</emphasis> days."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
+#: sssd-krb5.5.xml:295 sssd-krb5.5.xml:331
 msgid "If there is no delimiter <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:296
+#: sssd-krb5.5.xml:299
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "renewable lifetime to one and a half hours please use '90m' instead of "
@@ -4351,97 +4396,97 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:302
+#: sssd-krb5.5.xml:305
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:308
+#: sssd-krb5.5.xml:311
 msgid "krb5_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:311
+#: sssd-krb5.5.xml:314
 msgid ""
 "Request ticket with a with a lifetime given by an integer immediately "
 "followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:332
+#: sssd-krb5.5.xml:335
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "lifetime to one and a half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:337
+#: sssd-krb5.5.xml:340
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:344
+#: sssd-krb5.5.xml:347
 msgid "krb5_renew_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:347
+#: sssd-krb5.5.xml:350
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:352
+#: sssd-krb5.5.xml:355
 msgid "If this option is not set or 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:362
+#: sssd-krb5.5.xml:365
 msgid "krb5_use_fast (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:365
+#: sssd-krb5.5.xml:368
 msgid ""
 "Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
 "authentication. The following options are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:370
+#: sssd-krb5.5.xml:373
 msgid ""
 "<emphasis>never</emphasis> use FAST, this is equivalent to not set this "
 "option at all."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:374
+#: sssd-krb5.5.xml:377
 msgid ""
 "<emphasis>try</emphasis> to use FAST, if the server does not support fast "
 "continue without."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:378
+#: sssd-krb5.5.xml:381
 msgid ""
 "<emphasis>demand</emphasis> to use FAST, fail if the server does not require "
 "fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:382
+#: sssd-krb5.5.xml:385
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:385
+#: sssd-krb5.5.xml:388
 msgid "Please note that a keytab is required to use fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:388
+#: sssd-krb5.5.xml:391
 msgid ""
 "Please note also that sssd supports fast only with MIT Kerberos version 1.8 "
 "and above. If sssd used used with an older version using this option is a "
@@ -4459,7 +4504,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:407
+#: sssd-krb5.5.xml:410
 msgid ""
 "The following example assumes that SSSD is correctly configured and FOO is "
 "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
@@ -4468,7 +4513,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-krb5.5.xml:415
+#: sssd-krb5.5.xml:418
 #, no-wrap
 msgid ""
 "    [domain/FOO]\n"
@@ -4478,7 +4523,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:426
+#: sssd-krb5.5.xml:429
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
diff --git a/src/man/po/id.po b/src/man/po/id.po
index 113d28ca..3d052fe7 100644
--- a/src/man/po/id.po
+++ b/src/man/po/id.po
@@ -2,12 +2,13 @@
 # Copyright (C) YEAR Red Hat
 # This file is distributed under the same license as the sssd-docs package.
 #
+# Translators:
 msgid ""
 msgstr ""
 "Project-Id-Version: SSSD\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2011-08-29 10:42-0300\n"
-"PO-Revision-Date: 2011-08-05 11:38+0000\n"
+"POT-Creation-Date: 2011-10-18 13:34-0300\n"
+"PO-Revision-Date: 2010-12-23 15:35+0000\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Indonesian <trans-id@lists.fedoraproject.org>\n"
 "Language: id\n"
@@ -52,7 +53,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:41
+#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:44
 #: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21
 #: sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_useradd.8.xml:30
 #: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30
@@ -68,7 +69,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:39 pam_sss.8.xml:48 sssd.8.xml:42 sss_obfuscate.8.xml:58
+#: sss_groupmod.8.xml:39 pam_sss.8.xml:51 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
 msgid "OPTIONS"
@@ -104,10 +105,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1106 sssd-ldap.5.xml:1432
-#: pam_sss.8.xml:128 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
+#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1130 sssd-ldap.5.xml:1432
+#: pam_sss.8.xml:139 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
 #: sssd-ipa.5.xml:248 sssd.8.xml:166 sss_obfuscate.8.xml:103
-#: sss_useradd.8.xml:167 sssd-krb5.5.xml:424 sss_groupadd.8.xml:58
+#: sss_useradd.8.xml:167 sssd-krb5.5.xml:427 sss_groupadd.8.xml:58
 #: sss_userdel.8.xml:93 sss_groupdel.8.xml:46 sss_groupshow.8.xml:58
 #: sss_usermod.8.xml:138
 msgid "SEE ALSO"
@@ -213,7 +214,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:70 sssd.conf.5.xml:952
+#: sssd.conf.5.xml:70 sssd.conf.5.xml:976
 msgid "Section parameters"
 msgstr ""
 
@@ -246,19 +247,19 @@ msgid "Supported services: nss, pam"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:93 sssd.conf.5.xml:234
+#: sssd.conf.5.xml:93 sssd.conf.5.xml:254
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:96 sssd.conf.5.xml:237
+#: sssd.conf.5.xml:96 sssd.conf.5.xml:257
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:101 sssd.conf.5.xml:242
+#: sssd.conf.5.xml:101 sssd.conf.5.xml:262
 msgid "Default: 3"
 msgstr ""
 
@@ -365,6 +366,32 @@ msgid ""
 "unavailable. On these platforms, polling will always be used."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:189
+msgid "krb5_rcache_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:192
+msgid ""
+"Directory on the filesystem where SSSD should store Kerberos replay cache "
+"files."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:196
+msgid ""
+"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
+"SSSD to let libkrb5 decide the appropriate location for the replay cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:202
+msgid ""
+"Default: Distribution-specific and specified at build-time. "
+"(__LIBKRB5_DEFAULTS__ if not configured)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:63
 msgid ""
@@ -377,12 +404,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:195
+#: sssd.conf.5.xml:215
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:197
+#: sssd.conf.5.xml:217
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -391,55 +418,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:204
+#: sssd.conf.5.xml:224
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:206
+#: sssd.conf.5.xml:226
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:210
+#: sssd.conf.5.xml:230
 msgid "debug_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:213
+#: sssd.conf.5.xml:233
 msgid ""
 "Sets the debug level for the service. The value can be in range from 0 (only "
 "critical messages) to 10 (very verbose)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:218 sssd.conf.5.xml:312
+#: sssd.conf.5.xml:238 sssd.conf.5.xml:332
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:223 sssd.8.xml:58
+#: sssd.conf.5.xml:243 sssd.8.xml:58
 msgid "debug_timestamps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:226 sssd.8.xml:61
+#: sssd.conf.5.xml:246 sssd.8.xml:61
 msgid "Add a timestamp to the debug messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:229 sssd.conf.5.xml:353 sssd-ldap.5.xml:1058
+#: sssd.conf.5.xml:249 sssd.conf.5.xml:373 sssd-ldap.5.xml:1058
 #: sssd-ldap.5.xml:1163 sssd-ipa.5.xml:155
 msgid "Default: true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:247
+#: sssd.conf.5.xml:267
 msgid "command (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:250
+#: sssd.conf.5.xml:270
 msgid ""
 "By default, the executable representing this service is called <command>sssd_"
 "${service_name}</command>.  This directive allows to change the executable "
@@ -448,45 +475,45 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:258
+#: sssd.conf.5.xml:278
 msgid "Default: <command>sssd_${service_name}</command>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:266
+#: sssd.conf.5.xml:286
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:268
+#: sssd.conf.5.xml:288
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:273
+#: sssd.conf.5.xml:293
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:276
+#: sssd.conf.5.xml:296
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:280
+#: sssd.conf.5.xml:300
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:285
+#: sssd.conf.5.xml:305
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:288
+#: sssd.conf.5.xml:308
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -494,7 +521,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:294
+#: sssd.conf.5.xml:314
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -504,7 +531,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304
+#: sssd.conf.5.xml:324
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -513,12 +540,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:317
+#: sssd.conf.5.xml:337
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:320
+#: sssd.conf.5.xml:340
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -526,17 +553,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:326 sssd-krb5.5.xml:223
+#: sssd.conf.5.xml:346 sssd-krb5.5.xml:223
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:331
+#: sssd.conf.5.xml:351
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:334
+#: sssd.conf.5.xml:354
 msgid ""
 "Exclude certain users from being fetched from the sss NSS database. This is "
 "particularly useful for system accounts. This option can also be set per-"
@@ -545,78 +572,78 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:341
+#: sssd.conf.5.xml:361
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:346
+#: sssd.conf.5.xml:366
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:369
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:358
+#: sssd.conf.5.xml:378
 msgid "override_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:367 sssd-krb5.5.xml:166
+#: sssd.conf.5.xml:387 sssd-krb5.5.xml:166
 msgid "%u"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:368 sssd-krb5.5.xml:167
+#: sssd.conf.5.xml:388 sssd-krb5.5.xml:167
 msgid "login name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:371 sssd-krb5.5.xml:170
+#: sssd.conf.5.xml:391 sssd-krb5.5.xml:170
 msgid "%U"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:392
 msgid "UID number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:375 sssd-krb5.5.xml:188
+#: sssd.conf.5.xml:395 sssd-krb5.5.xml:188
 msgid "%d"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:376
+#: sssd.conf.5.xml:396
 msgid "domain name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:379
+#: sssd.conf.5.xml:399
 msgid "%f"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:380
+#: sssd.conf.5.xml:400
 msgid "fully qualified user name (user@domain)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:383 sssd-krb5.5.xml:200
+#: sssd.conf.5.xml:403 sssd-krb5.5.xml:200
 msgid "%%"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:384 sssd-krb5.5.xml:201
+#: sssd.conf.5.xml:404 sssd-krb5.5.xml:201
 msgid "a literal '%'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:361
+#: sssd.conf.5.xml:381
 msgid ""
 "Override the user's home directory. You can either provide an absolute value "
 "or a template. In the template, the following sequences are substituted: "
@@ -624,138 +651,138 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:390
+#: sssd.conf.5.xml:410
 msgid "This option can also be set per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:395
+#: sssd.conf.5.xml:415
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:398
+#: sssd.conf.5.xml:418
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:401
+#: sssd.conf.5.xml:421
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:405
+#: sssd.conf.5.xml:425
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:410
+#: sssd.conf.5.xml:430
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:415
+#: sssd.conf.5.xml:435
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:418
+#: sssd.conf.5.xml:438
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:422
+#: sssd.conf.5.xml:442
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:427
+#: sssd.conf.5.xml:447
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:430
+#: sssd.conf.5.xml:450
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:435
+#: sssd.conf.5.xml:455
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:438
+#: sssd.conf.5.xml:458
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:442
+#: sssd.conf.5.xml:462
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:469
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:451
+#: sssd.conf.5.xml:471
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:456
+#: sssd.conf.5.xml:476
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:459
+#: sssd.conf.5.xml:479
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:464 sssd.conf.5.xml:477
+#: sssd.conf.5.xml:484 sssd.conf.5.xml:497
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:490
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:473
+#: sssd.conf.5.xml:493
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:483
+#: sssd.conf.5.xml:503
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:506
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:491
+#: sssd.conf.5.xml:511
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -763,59 +790,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:497 sssd.conf.5.xml:550 sssd.conf.5.xml:882
+#: sssd.conf.5.xml:517 sssd.conf.5.xml:570 sssd.conf.5.xml:906
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:523
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:506
+#: sssd.conf.5.xml:526
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:511
+#: sssd.conf.5.xml:531
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:514
+#: sssd.conf.5.xml:534
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:517
+#: sssd.conf.5.xml:537
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:541
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:524
+#: sssd.conf.5.xml:544
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:528
+#: sssd.conf.5.xml:548
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:533
+#: sssd.conf.5.xml:553
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:536
+#: sssd.conf.5.xml:556
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -823,7 +850,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:542
+#: sssd.conf.5.xml:562
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -832,17 +859,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:556
+#: sssd.conf.5.xml:576
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:559
+#: sssd.conf.5.xml:579
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:562
+#: sssd.conf.5.xml:582
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -850,29 +877,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:588
 msgid "Default: 7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:577
+#: sssd.conf.5.xml:597
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:584
+#: sssd.conf.5.xml:604
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:587
+#: sssd.conf.5.xml:607
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:592
+#: sssd.conf.5.xml:612
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -881,56 +908,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:599
+#: sssd.conf.5.xml:619
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:625
 msgid "timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:608
+#: sssd.conf.5.xml:628
 msgid ""
 "Timeout in seconds between heartbeats for this domain.  This is used to "
 "ensure that the backend process is alive and capable of answering requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:633
 msgid "Default: 10"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:639
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:642
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:626
+#: sssd.conf.5.xml:646
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:629
+#: sssd.conf.5.xml:649
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:632 sssd.conf.5.xml:680 sssd.conf.5.xml:734
+#: sssd.conf.5.xml:652 sssd.conf.5.xml:704 sssd.conf.5.xml:758
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:635
+#: sssd.conf.5.xml:655
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -940,14 +967,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:645
+#: sssd.conf.5.xml:665
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:650
+#: sssd.conf.5.xml:670
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -956,39 +983,44 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:661
+#: sssd.conf.5.xml:681
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:664
+#: sssd.conf.5.xml:684
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:688
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:693
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676
+#: sssd.conf.5.xml:696
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:700
+msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:685
+#: sssd.conf.5.xml:709
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:688
+#: sssd.conf.5.xml:712
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -997,47 +1029,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:695
+#: sssd.conf.5.xml:719
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:725
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:728
 msgid "The Data Provider identity backend to use for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:708
+#: sssd.conf.5.xml:732
 msgid "Supported backends:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:711
+#: sssd.conf.5.xml:735
 msgid "proxy: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:714
+#: sssd.conf.5.xml:738
 msgid "local: SSSD internal local provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:717
+#: sssd.conf.5.xml:741
 msgid "ldap: LDAP provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:747
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:750
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -1046,19 +1078,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:739
+#: sssd.conf.5.xml:763
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:766
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:746
+#: sssd.conf.5.xml:770
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1066,7 +1098,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:777
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1074,30 +1106,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:784
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:787
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:766
+#: sssd.conf.5.xml:790
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:796
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:775
+#: sssd.conf.5.xml:799
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -1105,17 +1137,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:781
+#: sssd.conf.5.xml:805
 msgid "<quote>permit</quote> always allow access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:784
+#: sssd.conf.5.xml:808
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:811
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -1124,24 +1156,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:818
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:823
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:826
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:831
 msgid ""
 "<quote>ipa</quote> to change a password stored in an IPA server.  See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -1149,7 +1181,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:815
+#: sssd.conf.5.xml:839
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -1157,7 +1189,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:823
+#: sssd.conf.5.xml:847
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1165,72 +1197,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:831
+#: sssd.conf.5.xml:855
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:835
+#: sssd.conf.5.xml:859
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838
+#: sssd.conf.5.xml:862
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:845
+#: sssd.conf.5.xml:869
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:848
+#: sssd.conf.5.xml:872
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:876
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:855
+#: sssd.conf.5.xml:879
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:858
+#: sssd.conf.5.xml:882
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:861
+#: sssd.conf.5.xml:885
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:864
+#: sssd.conf.5.xml:888
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:867
+#: sssd.conf.5.xml:891
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:873
+#: sssd.conf.5.xml:897
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:876
+#: sssd.conf.5.xml:900
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -1238,34 +1270,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:912
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:891
+#: sssd.conf.5.xml:915
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:919
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:901
+#: sssd.conf.5.xml:925
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:904
+#: sssd.conf.5.xml:928
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:579
+#: sssd.conf.5.xml:599
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -1273,29 +1305,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:940
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:943
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:922
+#: sssd.conf.5.xml:946
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:954
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:933
+#: sssd.conf.5.xml:957
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -1303,19 +1335,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:912
+#: sssd.conf.5.xml:936
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:945
+#: sssd.conf.5.xml:969
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:971
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -1323,73 +1355,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:954
+#: sssd.conf.5.xml:978
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:981
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:985
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:966
+#: sssd.conf.5.xml:990
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:969
+#: sssd.conf.5.xml:993
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974
+#: sssd.conf.5.xml:998
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1003
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1006
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986 sssd.conf.5.xml:998
+#: sssd.conf.5.xml:1010 sssd.conf.5.xml:1022
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:991
+#: sssd.conf.5.xml:1015
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:994
+#: sssd.conf.5.xml:1018
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1003
+#: sssd.conf.5.xml:1027
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1030
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -1397,17 +1429,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014
+#: sssd.conf.5.xml:1038
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1043
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1022
+#: sssd.conf.5.xml:1046
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -1416,17 +1448,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:1056
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1037
+#: sssd.conf.5.xml:1061
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1040
+#: sssd.conf.5.xml:1064
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -1434,17 +1466,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1047
+#: sssd.conf.5.xml:1071
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1076
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1055
+#: sssd.conf.5.xml:1079
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -1452,18 +1484,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1061
+#: sssd.conf.5.xml:1085
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1071 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
-#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:405
+#: sssd.conf.5.xml:1095 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
+#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:408
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:1077
+#: sssd.conf.5.xml:1101
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -1493,7 +1525,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1073
+#: sssd.conf.5.xml:1097
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -1502,7 +1534,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1108
+#: sssd.conf.5.xml:1132
 msgid ""
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
@@ -1602,10 +1634,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:88
 msgid ""
-"Specifies the list of URIs of the LDAP servers to which SSSD should connect "
-"in the order of preference to change the password of a user. Refer to the "
-"<quote>FAILOVER</quote> section for more information on failover and server "
-"redundancy."
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference to change the password of a user. "
+"Refer to the <quote>FAILOVER</quote> section for more information on "
+"failover and server redundancy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -2085,7 +2117,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:519 sssd-ldap.5.xml:990 sssd-ipa.5.xml:115 sssd.8.xml:64
-#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:266
+#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:269
 msgid "Default: false"
 msgstr ""
 
@@ -2526,7 +2558,7 @@ msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:356
+#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:359
 msgid "Default: not set"
 msgstr ""
 
@@ -2667,12 +2699,13 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:1080 sssd-krb5.5.xml:77
 msgid ""
-"Specifies the list of IP addresses or hostnames of the Kerberos servers to "
-"which SSSD should connect in the order of preference. For more information "
-"on failover and server redundancy, see the <quote>FAILOVER</quote> section. "
-"An optional port number (preceded by a colon) may be appended to the "
-"addresses or hostnames.  If empty, service discovery is enabled - for more "
-"information, refer to the <quote>SERVICE DISCOVERY</quote> section."
+"Specifies the comma-separated list of IP addresses or hostnames of the "
+"Kerberos servers to which SSSD should connect in the order of preference. "
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
+"colon) may be appended to the addresses or hostnames.  If empty, service "
+"discovery is enabled - for more information, refer to the <quote>SERVICE "
+"DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -3057,7 +3090,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ldap.5.xml:1407 sssd-simple.5.xml:134 sssd-ipa.5.xml:238
-#: sssd-krb5.5.xml:414
+#: sssd-krb5.5.xml:417
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -3104,7 +3137,8 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
 #: pam_sss.8.xml:24
 msgid ""
-"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>forward_pass</"
+"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
@@ -3112,7 +3146,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:42
+#: pam_sss.8.xml:45
 msgid ""
 "<command>pam_sss.so</command> is the PAM interface to the System Security "
 "Services daemon (SSSD). Errors and results are logged through <command>syslog"
@@ -3120,24 +3154,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:52
+#: pam_sss.8.xml:55
+msgid "<option>quiet</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:58
+msgid "Suppress log messages for unknown users."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:63
 msgid "<option>forward_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:55
+#: pam_sss.8.xml:66
 msgid ""
 "If <option>forward_pass</option> is set the entered password is put on the "
 "stack for other PAM modules to use."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:62
+#: pam_sss.8.xml:73
 msgid "<option>use_first_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:65
+#: pam_sss.8.xml:76
 msgid ""
 "The argument use_first_pass forces the module to use a previous stacked "
 "modules password and will never prompt the user - if no password is "
@@ -3145,31 +3189,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:73
+#: pam_sss.8.xml:84
 msgid "<option>use_authtok</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:76
+#: pam_sss.8.xml:87
 msgid ""
 "When password changing enforce the module to set the new password to the one "
 "provided by a previously stacked password module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:83
+#: pam_sss.8.xml:94
 msgid "<option>retry=N</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:86
+#: pam_sss.8.xml:97
 msgid ""
 "If specified the user is asked another N times for a password if "
 "authentication fails. Default is 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:88
+#: pam_sss.8.xml:99
 msgid ""
 "Please note that this option might not work as expected if the application "
 "calling PAM handles the user dialog on its own. A typical example is "
@@ -3177,24 +3221,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:99
+#: pam_sss.8.xml:110
 msgid "MODULE TYPES PROVIDED"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:100
+#: pam_sss.8.xml:111
 msgid ""
 "All module types (<option>account</option>, <option>auth</option>, "
 "<option>password</option> and <option>session</option>) are provided."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:106
+#: pam_sss.8.xml:117
 msgid "FILES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:107
+#: pam_sss.8.xml:118
 msgid ""
 "If a password reset by root fails, because the corresponding SSSD provider "
 "does not support password resets, an individual message can be displayed. "
@@ -3202,7 +3246,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:112
+#: pam_sss.8.xml:123
 msgid ""
 "The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
 "filename> where LOC stands for a locale string returned by <citerefentry> "
@@ -3214,7 +3258,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:122
+#: pam_sss.8.xml:133
 msgid ""
 "These files are searched in the directory <filename>/etc/sssd/customize/"
 "DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
@@ -3222,7 +3266,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:130
+#: pam_sss.8.xml:141
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>8</"
 "manvolnum> </citerefentry>"
@@ -3482,11 +3526,11 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ipa.5.xml:83
 msgid ""
-"The list of IP addresses or hostnames of the IPA servers to which SSSD "
-"should connect in the order of preference. For more information on failover "
-"and server redundancy, see the <quote>FAILOVER</quote> section.  This is "
-"optional if autodiscovery is enabled.  For more information on service "
-"discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
+"The comma-separated list of IP addresses or hostnames of the IPA servers to "
+"which SSSD should connect in the order of preference. For more information "
+"on failover and server redundancy, see the <quote>FAILOVER</quote> section.  "
+"This is optional if autodiscovery is enabled.  For more information on "
+"service discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
@@ -4302,48 +4346,50 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:262
 msgid ""
-"Please note that this feature currently only available on a Linux platform."
+"Please note that this feature currently only available on a Linux platform. "
+"Passwords stored in this way are kept in plaintext in the kernel keyring and "
+"are potentially accessible by the root user (with difficulty)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:272
+#: sssd-krb5.5.xml:275
 msgid "krb5_renewable_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:275
+#: sssd-krb5.5.xml:278
 msgid ""
 "Request a renewable ticket with a total lifetime given by an integer "
 "immediately followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:280 sssd-krb5.5.xml:316
+#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
 msgid "<emphasis>s</emphasis> seconds"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
+#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
 msgid "<emphasis>m</emphasis> minutes"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
+#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
 msgid "<emphasis>h</emphasis> hours"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
+#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
 msgid "<emphasis>d</emphasis> days."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
+#: sssd-krb5.5.xml:295 sssd-krb5.5.xml:331
 msgid "If there is no delimiter <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:296
+#: sssd-krb5.5.xml:299
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "renewable lifetime to one and a half hours please use '90m' instead of "
@@ -4351,97 +4397,97 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:302
+#: sssd-krb5.5.xml:305
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:308
+#: sssd-krb5.5.xml:311
 msgid "krb5_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:311
+#: sssd-krb5.5.xml:314
 msgid ""
 "Request ticket with a with a lifetime given by an integer immediately "
 "followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:332
+#: sssd-krb5.5.xml:335
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "lifetime to one and a half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:337
+#: sssd-krb5.5.xml:340
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:344
+#: sssd-krb5.5.xml:347
 msgid "krb5_renew_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:347
+#: sssd-krb5.5.xml:350
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:352
+#: sssd-krb5.5.xml:355
 msgid "If this option is not set or 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:362
+#: sssd-krb5.5.xml:365
 msgid "krb5_use_fast (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:365
+#: sssd-krb5.5.xml:368
 msgid ""
 "Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
 "authentication. The following options are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:370
+#: sssd-krb5.5.xml:373
 msgid ""
 "<emphasis>never</emphasis> use FAST, this is equivalent to not set this "
 "option at all."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:374
+#: sssd-krb5.5.xml:377
 msgid ""
 "<emphasis>try</emphasis> to use FAST, if the server does not support fast "
 "continue without."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:378
+#: sssd-krb5.5.xml:381
 msgid ""
 "<emphasis>demand</emphasis> to use FAST, fail if the server does not require "
 "fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:382
+#: sssd-krb5.5.xml:385
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:385
+#: sssd-krb5.5.xml:388
 msgid "Please note that a keytab is required to use fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:388
+#: sssd-krb5.5.xml:391
 msgid ""
 "Please note also that sssd supports fast only with MIT Kerberos version 1.8 "
 "and above. If sssd used used with an older version using this option is a "
@@ -4459,7 +4505,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:407
+#: sssd-krb5.5.xml:410
 msgid ""
 "The following example assumes that SSSD is correctly configured and FOO is "
 "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
@@ -4468,7 +4514,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-krb5.5.xml:415
+#: sssd-krb5.5.xml:418
 #, no-wrap
 msgid ""
 "    [domain/FOO]\n"
@@ -4478,7 +4524,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:426
+#: sssd-krb5.5.xml:429
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
diff --git a/src/man/po/is.po b/src/man/po/is.po
index 99d15901..67ed19a5 100644
--- a/src/man/po/is.po
+++ b/src/man/po/is.po
@@ -2,12 +2,13 @@
 # Copyright (C) YEAR Red Hat
 # This file is distributed under the same license as the sssd-docs package.
 #
+# Translators:
 msgid ""
 msgstr ""
 "Project-Id-Version: SSSD\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2011-08-29 10:42-0300\n"
-"PO-Revision-Date: 2011-08-05 11:37+0000\n"
+"POT-Creation-Date: 2011-10-18 13:34-0300\n"
+"PO-Revision-Date: 2010-12-23 15:35+0000\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Icelandic (http://www.transifex.net/projects/p/fedora/team/"
 "is/)\n"
@@ -53,7 +54,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:41
+#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:44
 #: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21
 #: sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_useradd.8.xml:30
 #: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30
@@ -69,7 +70,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:39 pam_sss.8.xml:48 sssd.8.xml:42 sss_obfuscate.8.xml:58
+#: sss_groupmod.8.xml:39 pam_sss.8.xml:51 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
 msgid "OPTIONS"
@@ -105,10 +106,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1106 sssd-ldap.5.xml:1432
-#: pam_sss.8.xml:128 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
+#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1130 sssd-ldap.5.xml:1432
+#: pam_sss.8.xml:139 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
 #: sssd-ipa.5.xml:248 sssd.8.xml:166 sss_obfuscate.8.xml:103
-#: sss_useradd.8.xml:167 sssd-krb5.5.xml:424 sss_groupadd.8.xml:58
+#: sss_useradd.8.xml:167 sssd-krb5.5.xml:427 sss_groupadd.8.xml:58
 #: sss_userdel.8.xml:93 sss_groupdel.8.xml:46 sss_groupshow.8.xml:58
 #: sss_usermod.8.xml:138
 msgid "SEE ALSO"
@@ -214,7 +215,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:70 sssd.conf.5.xml:952
+#: sssd.conf.5.xml:70 sssd.conf.5.xml:976
 msgid "Section parameters"
 msgstr ""
 
@@ -247,19 +248,19 @@ msgid "Supported services: nss, pam"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:93 sssd.conf.5.xml:234
+#: sssd.conf.5.xml:93 sssd.conf.5.xml:254
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:96 sssd.conf.5.xml:237
+#: sssd.conf.5.xml:96 sssd.conf.5.xml:257
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:101 sssd.conf.5.xml:242
+#: sssd.conf.5.xml:101 sssd.conf.5.xml:262
 msgid "Default: 3"
 msgstr ""
 
@@ -366,6 +367,32 @@ msgid ""
 "unavailable. On these platforms, polling will always be used."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:189
+msgid "krb5_rcache_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:192
+msgid ""
+"Directory on the filesystem where SSSD should store Kerberos replay cache "
+"files."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:196
+msgid ""
+"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
+"SSSD to let libkrb5 decide the appropriate location for the replay cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:202
+msgid ""
+"Default: Distribution-specific and specified at build-time. "
+"(__LIBKRB5_DEFAULTS__ if not configured)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:63
 msgid ""
@@ -378,12 +405,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:195
+#: sssd.conf.5.xml:215
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:197
+#: sssd.conf.5.xml:217
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -392,55 +419,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:204
+#: sssd.conf.5.xml:224
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:206
+#: sssd.conf.5.xml:226
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:210
+#: sssd.conf.5.xml:230
 msgid "debug_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:213
+#: sssd.conf.5.xml:233
 msgid ""
 "Sets the debug level for the service. The value can be in range from 0 (only "
 "critical messages) to 10 (very verbose)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:218 sssd.conf.5.xml:312
+#: sssd.conf.5.xml:238 sssd.conf.5.xml:332
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:223 sssd.8.xml:58
+#: sssd.conf.5.xml:243 sssd.8.xml:58
 msgid "debug_timestamps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:226 sssd.8.xml:61
+#: sssd.conf.5.xml:246 sssd.8.xml:61
 msgid "Add a timestamp to the debug messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:229 sssd.conf.5.xml:353 sssd-ldap.5.xml:1058
+#: sssd.conf.5.xml:249 sssd.conf.5.xml:373 sssd-ldap.5.xml:1058
 #: sssd-ldap.5.xml:1163 sssd-ipa.5.xml:155
 msgid "Default: true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:247
+#: sssd.conf.5.xml:267
 msgid "command (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:250
+#: sssd.conf.5.xml:270
 msgid ""
 "By default, the executable representing this service is called <command>sssd_"
 "${service_name}</command>.  This directive allows to change the executable "
@@ -449,45 +476,45 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:258
+#: sssd.conf.5.xml:278
 msgid "Default: <command>sssd_${service_name}</command>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:266
+#: sssd.conf.5.xml:286
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:268
+#: sssd.conf.5.xml:288
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:273
+#: sssd.conf.5.xml:293
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:276
+#: sssd.conf.5.xml:296
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:280
+#: sssd.conf.5.xml:300
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:285
+#: sssd.conf.5.xml:305
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:288
+#: sssd.conf.5.xml:308
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -495,7 +522,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:294
+#: sssd.conf.5.xml:314
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -505,7 +532,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304
+#: sssd.conf.5.xml:324
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -514,12 +541,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:317
+#: sssd.conf.5.xml:337
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:320
+#: sssd.conf.5.xml:340
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -527,17 +554,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:326 sssd-krb5.5.xml:223
+#: sssd.conf.5.xml:346 sssd-krb5.5.xml:223
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:331
+#: sssd.conf.5.xml:351
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:334
+#: sssd.conf.5.xml:354
 msgid ""
 "Exclude certain users from being fetched from the sss NSS database. This is "
 "particularly useful for system accounts. This option can also be set per-"
@@ -546,78 +573,78 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:341
+#: sssd.conf.5.xml:361
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:346
+#: sssd.conf.5.xml:366
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:369
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:358
+#: sssd.conf.5.xml:378
 msgid "override_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:367 sssd-krb5.5.xml:166
+#: sssd.conf.5.xml:387 sssd-krb5.5.xml:166
 msgid "%u"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:368 sssd-krb5.5.xml:167
+#: sssd.conf.5.xml:388 sssd-krb5.5.xml:167
 msgid "login name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:371 sssd-krb5.5.xml:170
+#: sssd.conf.5.xml:391 sssd-krb5.5.xml:170
 msgid "%U"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:392
 msgid "UID number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:375 sssd-krb5.5.xml:188
+#: sssd.conf.5.xml:395 sssd-krb5.5.xml:188
 msgid "%d"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:376
+#: sssd.conf.5.xml:396
 msgid "domain name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:379
+#: sssd.conf.5.xml:399
 msgid "%f"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:380
+#: sssd.conf.5.xml:400
 msgid "fully qualified user name (user@domain)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:383 sssd-krb5.5.xml:200
+#: sssd.conf.5.xml:403 sssd-krb5.5.xml:200
 msgid "%%"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:384 sssd-krb5.5.xml:201
+#: sssd.conf.5.xml:404 sssd-krb5.5.xml:201
 msgid "a literal '%'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:361
+#: sssd.conf.5.xml:381
 msgid ""
 "Override the user's home directory. You can either provide an absolute value "
 "or a template. In the template, the following sequences are substituted: "
@@ -625,138 +652,138 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:390
+#: sssd.conf.5.xml:410
 msgid "This option can also be set per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:395
+#: sssd.conf.5.xml:415
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:398
+#: sssd.conf.5.xml:418
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:401
+#: sssd.conf.5.xml:421
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:405
+#: sssd.conf.5.xml:425
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:410
+#: sssd.conf.5.xml:430
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:415
+#: sssd.conf.5.xml:435
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:418
+#: sssd.conf.5.xml:438
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:422
+#: sssd.conf.5.xml:442
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:427
+#: sssd.conf.5.xml:447
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:430
+#: sssd.conf.5.xml:450
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:435
+#: sssd.conf.5.xml:455
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:438
+#: sssd.conf.5.xml:458
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:442
+#: sssd.conf.5.xml:462
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:469
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:451
+#: sssd.conf.5.xml:471
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:456
+#: sssd.conf.5.xml:476
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:459
+#: sssd.conf.5.xml:479
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:464 sssd.conf.5.xml:477
+#: sssd.conf.5.xml:484 sssd.conf.5.xml:497
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:490
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:473
+#: sssd.conf.5.xml:493
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:483
+#: sssd.conf.5.xml:503
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:506
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:491
+#: sssd.conf.5.xml:511
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -764,59 +791,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:497 sssd.conf.5.xml:550 sssd.conf.5.xml:882
+#: sssd.conf.5.xml:517 sssd.conf.5.xml:570 sssd.conf.5.xml:906
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:523
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:506
+#: sssd.conf.5.xml:526
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:511
+#: sssd.conf.5.xml:531
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:514
+#: sssd.conf.5.xml:534
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:517
+#: sssd.conf.5.xml:537
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:541
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:524
+#: sssd.conf.5.xml:544
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:528
+#: sssd.conf.5.xml:548
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:533
+#: sssd.conf.5.xml:553
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:536
+#: sssd.conf.5.xml:556
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -824,7 +851,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:542
+#: sssd.conf.5.xml:562
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -833,17 +860,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:556
+#: sssd.conf.5.xml:576
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:559
+#: sssd.conf.5.xml:579
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:562
+#: sssd.conf.5.xml:582
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -851,29 +878,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:588
 msgid "Default: 7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:577
+#: sssd.conf.5.xml:597
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:584
+#: sssd.conf.5.xml:604
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:587
+#: sssd.conf.5.xml:607
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:592
+#: sssd.conf.5.xml:612
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -882,56 +909,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:599
+#: sssd.conf.5.xml:619
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:625
 msgid "timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:608
+#: sssd.conf.5.xml:628
 msgid ""
 "Timeout in seconds between heartbeats for this domain.  This is used to "
 "ensure that the backend process is alive and capable of answering requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:633
 msgid "Default: 10"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:639
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:642
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:626
+#: sssd.conf.5.xml:646
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:629
+#: sssd.conf.5.xml:649
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:632 sssd.conf.5.xml:680 sssd.conf.5.xml:734
+#: sssd.conf.5.xml:652 sssd.conf.5.xml:704 sssd.conf.5.xml:758
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:635
+#: sssd.conf.5.xml:655
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -941,14 +968,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:645
+#: sssd.conf.5.xml:665
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:650
+#: sssd.conf.5.xml:670
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -957,39 +984,44 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:661
+#: sssd.conf.5.xml:681
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:664
+#: sssd.conf.5.xml:684
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:688
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:693
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676
+#: sssd.conf.5.xml:696
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:700
+msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:685
+#: sssd.conf.5.xml:709
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:688
+#: sssd.conf.5.xml:712
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -998,47 +1030,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:695
+#: sssd.conf.5.xml:719
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:725
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:728
 msgid "The Data Provider identity backend to use for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:708
+#: sssd.conf.5.xml:732
 msgid "Supported backends:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:711
+#: sssd.conf.5.xml:735
 msgid "proxy: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:714
+#: sssd.conf.5.xml:738
 msgid "local: SSSD internal local provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:717
+#: sssd.conf.5.xml:741
 msgid "ldap: LDAP provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:747
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:750
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -1047,19 +1079,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:739
+#: sssd.conf.5.xml:763
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:766
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:746
+#: sssd.conf.5.xml:770
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1067,7 +1099,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:777
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1075,30 +1107,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:784
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:787
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:766
+#: sssd.conf.5.xml:790
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:796
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:775
+#: sssd.conf.5.xml:799
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -1106,17 +1138,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:781
+#: sssd.conf.5.xml:805
 msgid "<quote>permit</quote> always allow access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:784
+#: sssd.conf.5.xml:808
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:811
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -1125,24 +1157,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:818
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:823
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:826
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:831
 msgid ""
 "<quote>ipa</quote> to change a password stored in an IPA server.  See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -1150,7 +1182,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:815
+#: sssd.conf.5.xml:839
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -1158,7 +1190,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:823
+#: sssd.conf.5.xml:847
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1166,72 +1198,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:831
+#: sssd.conf.5.xml:855
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:835
+#: sssd.conf.5.xml:859
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838
+#: sssd.conf.5.xml:862
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:845
+#: sssd.conf.5.xml:869
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:848
+#: sssd.conf.5.xml:872
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:876
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:855
+#: sssd.conf.5.xml:879
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:858
+#: sssd.conf.5.xml:882
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:861
+#: sssd.conf.5.xml:885
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:864
+#: sssd.conf.5.xml:888
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:867
+#: sssd.conf.5.xml:891
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:873
+#: sssd.conf.5.xml:897
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:876
+#: sssd.conf.5.xml:900
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -1239,34 +1271,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:912
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:891
+#: sssd.conf.5.xml:915
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:919
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:901
+#: sssd.conf.5.xml:925
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:904
+#: sssd.conf.5.xml:928
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:579
+#: sssd.conf.5.xml:599
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -1274,29 +1306,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:940
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:943
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:922
+#: sssd.conf.5.xml:946
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:954
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:933
+#: sssd.conf.5.xml:957
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -1304,19 +1336,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:912
+#: sssd.conf.5.xml:936
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:945
+#: sssd.conf.5.xml:969
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:971
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -1324,73 +1356,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:954
+#: sssd.conf.5.xml:978
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:981
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:985
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:966
+#: sssd.conf.5.xml:990
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:969
+#: sssd.conf.5.xml:993
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974
+#: sssd.conf.5.xml:998
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1003
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1006
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986 sssd.conf.5.xml:998
+#: sssd.conf.5.xml:1010 sssd.conf.5.xml:1022
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:991
+#: sssd.conf.5.xml:1015
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:994
+#: sssd.conf.5.xml:1018
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1003
+#: sssd.conf.5.xml:1027
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1030
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -1398,17 +1430,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014
+#: sssd.conf.5.xml:1038
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1043
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1022
+#: sssd.conf.5.xml:1046
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -1417,17 +1449,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:1056
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1037
+#: sssd.conf.5.xml:1061
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1040
+#: sssd.conf.5.xml:1064
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -1435,17 +1467,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1047
+#: sssd.conf.5.xml:1071
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1076
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1055
+#: sssd.conf.5.xml:1079
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -1453,18 +1485,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1061
+#: sssd.conf.5.xml:1085
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1071 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
-#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:405
+#: sssd.conf.5.xml:1095 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
+#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:408
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:1077
+#: sssd.conf.5.xml:1101
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -1494,7 +1526,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1073
+#: sssd.conf.5.xml:1097
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -1503,7 +1535,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1108
+#: sssd.conf.5.xml:1132
 msgid ""
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
@@ -1603,10 +1635,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:88
 msgid ""
-"Specifies the list of URIs of the LDAP servers to which SSSD should connect "
-"in the order of preference to change the password of a user. Refer to the "
-"<quote>FAILOVER</quote> section for more information on failover and server "
-"redundancy."
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference to change the password of a user. "
+"Refer to the <quote>FAILOVER</quote> section for more information on "
+"failover and server redundancy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -2086,7 +2118,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:519 sssd-ldap.5.xml:990 sssd-ipa.5.xml:115 sssd.8.xml:64
-#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:266
+#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:269
 msgid "Default: false"
 msgstr ""
 
@@ -2527,7 +2559,7 @@ msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:356
+#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:359
 msgid "Default: not set"
 msgstr ""
 
@@ -2668,12 +2700,13 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:1080 sssd-krb5.5.xml:77
 msgid ""
-"Specifies the list of IP addresses or hostnames of the Kerberos servers to "
-"which SSSD should connect in the order of preference. For more information "
-"on failover and server redundancy, see the <quote>FAILOVER</quote> section. "
-"An optional port number (preceded by a colon) may be appended to the "
-"addresses or hostnames.  If empty, service discovery is enabled - for more "
-"information, refer to the <quote>SERVICE DISCOVERY</quote> section."
+"Specifies the comma-separated list of IP addresses or hostnames of the "
+"Kerberos servers to which SSSD should connect in the order of preference. "
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
+"colon) may be appended to the addresses or hostnames.  If empty, service "
+"discovery is enabled - for more information, refer to the <quote>SERVICE "
+"DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -3058,7 +3091,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ldap.5.xml:1407 sssd-simple.5.xml:134 sssd-ipa.5.xml:238
-#: sssd-krb5.5.xml:414
+#: sssd-krb5.5.xml:417
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -3105,7 +3138,8 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
 #: pam_sss.8.xml:24
 msgid ""
-"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>forward_pass</"
+"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
@@ -3113,7 +3147,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:42
+#: pam_sss.8.xml:45
 msgid ""
 "<command>pam_sss.so</command> is the PAM interface to the System Security "
 "Services daemon (SSSD). Errors and results are logged through <command>syslog"
@@ -3121,24 +3155,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:52
+#: pam_sss.8.xml:55
+msgid "<option>quiet</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:58
+msgid "Suppress log messages for unknown users."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:63
 msgid "<option>forward_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:55
+#: pam_sss.8.xml:66
 msgid ""
 "If <option>forward_pass</option> is set the entered password is put on the "
 "stack for other PAM modules to use."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:62
+#: pam_sss.8.xml:73
 msgid "<option>use_first_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:65
+#: pam_sss.8.xml:76
 msgid ""
 "The argument use_first_pass forces the module to use a previous stacked "
 "modules password and will never prompt the user - if no password is "
@@ -3146,31 +3190,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:73
+#: pam_sss.8.xml:84
 msgid "<option>use_authtok</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:76
+#: pam_sss.8.xml:87
 msgid ""
 "When password changing enforce the module to set the new password to the one "
 "provided by a previously stacked password module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:83
+#: pam_sss.8.xml:94
 msgid "<option>retry=N</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:86
+#: pam_sss.8.xml:97
 msgid ""
 "If specified the user is asked another N times for a password if "
 "authentication fails. Default is 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:88
+#: pam_sss.8.xml:99
 msgid ""
 "Please note that this option might not work as expected if the application "
 "calling PAM handles the user dialog on its own. A typical example is "
@@ -3178,24 +3222,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:99
+#: pam_sss.8.xml:110
 msgid "MODULE TYPES PROVIDED"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:100
+#: pam_sss.8.xml:111
 msgid ""
 "All module types (<option>account</option>, <option>auth</option>, "
 "<option>password</option> and <option>session</option>) are provided."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:106
+#: pam_sss.8.xml:117
 msgid "FILES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:107
+#: pam_sss.8.xml:118
 msgid ""
 "If a password reset by root fails, because the corresponding SSSD provider "
 "does not support password resets, an individual message can be displayed. "
@@ -3203,7 +3247,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:112
+#: pam_sss.8.xml:123
 msgid ""
 "The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
 "filename> where LOC stands for a locale string returned by <citerefentry> "
@@ -3215,7 +3259,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:122
+#: pam_sss.8.xml:133
 msgid ""
 "These files are searched in the directory <filename>/etc/sssd/customize/"
 "DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
@@ -3223,7 +3267,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:130
+#: pam_sss.8.xml:141
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>8</"
 "manvolnum> </citerefentry>"
@@ -3483,11 +3527,11 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ipa.5.xml:83
 msgid ""
-"The list of IP addresses or hostnames of the IPA servers to which SSSD "
-"should connect in the order of preference. For more information on failover "
-"and server redundancy, see the <quote>FAILOVER</quote> section.  This is "
-"optional if autodiscovery is enabled.  For more information on service "
-"discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
+"The comma-separated list of IP addresses or hostnames of the IPA servers to "
+"which SSSD should connect in the order of preference. For more information "
+"on failover and server redundancy, see the <quote>FAILOVER</quote> section.  "
+"This is optional if autodiscovery is enabled.  For more information on "
+"service discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
@@ -4303,48 +4347,50 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:262
 msgid ""
-"Please note that this feature currently only available on a Linux platform."
+"Please note that this feature currently only available on a Linux platform. "
+"Passwords stored in this way are kept in plaintext in the kernel keyring and "
+"are potentially accessible by the root user (with difficulty)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:272
+#: sssd-krb5.5.xml:275
 msgid "krb5_renewable_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:275
+#: sssd-krb5.5.xml:278
 msgid ""
 "Request a renewable ticket with a total lifetime given by an integer "
 "immediately followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:280 sssd-krb5.5.xml:316
+#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
 msgid "<emphasis>s</emphasis> seconds"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
+#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
 msgid "<emphasis>m</emphasis> minutes"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
+#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
 msgid "<emphasis>h</emphasis> hours"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
+#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
 msgid "<emphasis>d</emphasis> days."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
+#: sssd-krb5.5.xml:295 sssd-krb5.5.xml:331
 msgid "If there is no delimiter <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:296
+#: sssd-krb5.5.xml:299
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "renewable lifetime to one and a half hours please use '90m' instead of "
@@ -4352,97 +4398,97 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:302
+#: sssd-krb5.5.xml:305
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:308
+#: sssd-krb5.5.xml:311
 msgid "krb5_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:311
+#: sssd-krb5.5.xml:314
 msgid ""
 "Request ticket with a with a lifetime given by an integer immediately "
 "followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:332
+#: sssd-krb5.5.xml:335
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "lifetime to one and a half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:337
+#: sssd-krb5.5.xml:340
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:344
+#: sssd-krb5.5.xml:347
 msgid "krb5_renew_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:347
+#: sssd-krb5.5.xml:350
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:352
+#: sssd-krb5.5.xml:355
 msgid "If this option is not set or 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:362
+#: sssd-krb5.5.xml:365
 msgid "krb5_use_fast (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:365
+#: sssd-krb5.5.xml:368
 msgid ""
 "Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
 "authentication. The following options are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:370
+#: sssd-krb5.5.xml:373
 msgid ""
 "<emphasis>never</emphasis> use FAST, this is equivalent to not set this "
 "option at all."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:374
+#: sssd-krb5.5.xml:377
 msgid ""
 "<emphasis>try</emphasis> to use FAST, if the server does not support fast "
 "continue without."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:378
+#: sssd-krb5.5.xml:381
 msgid ""
 "<emphasis>demand</emphasis> to use FAST, fail if the server does not require "
 "fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:382
+#: sssd-krb5.5.xml:385
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:385
+#: sssd-krb5.5.xml:388
 msgid "Please note that a keytab is required to use fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:388
+#: sssd-krb5.5.xml:391
 msgid ""
 "Please note also that sssd supports fast only with MIT Kerberos version 1.8 "
 "and above. If sssd used used with an older version using this option is a "
@@ -4460,7 +4506,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:407
+#: sssd-krb5.5.xml:410
 msgid ""
 "The following example assumes that SSSD is correctly configured and FOO is "
 "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
@@ -4469,7 +4515,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-krb5.5.xml:415
+#: sssd-krb5.5.xml:418
 #, no-wrap
 msgid ""
 "    [domain/FOO]\n"
@@ -4479,7 +4525,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:426
+#: sssd-krb5.5.xml:429
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
diff --git a/src/man/po/it.po b/src/man/po/it.po
index db0a8ff7..cc6f75ca 100644
--- a/src/man/po/it.po
+++ b/src/man/po/it.po
@@ -6,7 +6,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: SSSD\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2011-08-29 10:42-0300\n"
+"POT-Creation-Date: 2011-10-18 13:34-0300\n"
 "PO-Revision-Date: 2011-08-05 11:37+0000\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Italian <trans-it@lists.fedoraproject.org>\n"
@@ -52,7 +52,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:41
+#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:44
 #: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21
 #: sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_useradd.8.xml:30
 #: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30
@@ -68,7 +68,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:39 pam_sss.8.xml:48 sssd.8.xml:42 sss_obfuscate.8.xml:58
+#: sss_groupmod.8.xml:39 pam_sss.8.xml:51 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
 msgid "OPTIONS"
@@ -104,10 +104,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1106 sssd-ldap.5.xml:1432
-#: pam_sss.8.xml:128 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
+#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1130 sssd-ldap.5.xml:1432
+#: pam_sss.8.xml:139 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
 #: sssd-ipa.5.xml:248 sssd.8.xml:166 sss_obfuscate.8.xml:103
-#: sss_useradd.8.xml:167 sssd-krb5.5.xml:424 sss_groupadd.8.xml:58
+#: sss_useradd.8.xml:167 sssd-krb5.5.xml:427 sss_groupadd.8.xml:58
 #: sss_userdel.8.xml:93 sss_groupdel.8.xml:46 sss_groupshow.8.xml:58
 #: sss_usermod.8.xml:138
 msgid "SEE ALSO"
@@ -213,7 +213,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:70 sssd.conf.5.xml:952
+#: sssd.conf.5.xml:70 sssd.conf.5.xml:976
 msgid "Section parameters"
 msgstr ""
 
@@ -246,19 +246,19 @@ msgid "Supported services: nss, pam"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:93 sssd.conf.5.xml:234
+#: sssd.conf.5.xml:93 sssd.conf.5.xml:254
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:96 sssd.conf.5.xml:237
+#: sssd.conf.5.xml:96 sssd.conf.5.xml:257
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:101 sssd.conf.5.xml:242
+#: sssd.conf.5.xml:101 sssd.conf.5.xml:262
 msgid "Default: 3"
 msgstr ""
 
@@ -365,6 +365,32 @@ msgid ""
 "unavailable. On these platforms, polling will always be used."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:189
+msgid "krb5_rcache_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:192
+msgid ""
+"Directory on the filesystem where SSSD should store Kerberos replay cache "
+"files."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:196
+msgid ""
+"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
+"SSSD to let libkrb5 decide the appropriate location for the replay cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:202
+msgid ""
+"Default: Distribution-specific and specified at build-time. "
+"(__LIBKRB5_DEFAULTS__ if not configured)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:63
 msgid ""
@@ -377,12 +403,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:195
+#: sssd.conf.5.xml:215
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:197
+#: sssd.conf.5.xml:217
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -391,55 +417,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:204
+#: sssd.conf.5.xml:224
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:206
+#: sssd.conf.5.xml:226
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:210
+#: sssd.conf.5.xml:230
 msgid "debug_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:213
+#: sssd.conf.5.xml:233
 msgid ""
 "Sets the debug level for the service. The value can be in range from 0 (only "
 "critical messages) to 10 (very verbose)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:218 sssd.conf.5.xml:312
+#: sssd.conf.5.xml:238 sssd.conf.5.xml:332
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:223 sssd.8.xml:58
+#: sssd.conf.5.xml:243 sssd.8.xml:58
 msgid "debug_timestamps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:226 sssd.8.xml:61
+#: sssd.conf.5.xml:246 sssd.8.xml:61
 msgid "Add a timestamp to the debug messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:229 sssd.conf.5.xml:353 sssd-ldap.5.xml:1058
+#: sssd.conf.5.xml:249 sssd.conf.5.xml:373 sssd-ldap.5.xml:1058
 #: sssd-ldap.5.xml:1163 sssd-ipa.5.xml:155
 msgid "Default: true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:247
+#: sssd.conf.5.xml:267
 msgid "command (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:250
+#: sssd.conf.5.xml:270
 msgid ""
 "By default, the executable representing this service is called <command>sssd_"
 "${service_name}</command>.  This directive allows to change the executable "
@@ -448,45 +474,45 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:258
+#: sssd.conf.5.xml:278
 msgid "Default: <command>sssd_${service_name}</command>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:266
+#: sssd.conf.5.xml:286
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:268
+#: sssd.conf.5.xml:288
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:273
+#: sssd.conf.5.xml:293
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:276
+#: sssd.conf.5.xml:296
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:280
+#: sssd.conf.5.xml:300
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:285
+#: sssd.conf.5.xml:305
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:288
+#: sssd.conf.5.xml:308
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -494,7 +520,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:294
+#: sssd.conf.5.xml:314
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -504,7 +530,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304
+#: sssd.conf.5.xml:324
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -513,12 +539,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:317
+#: sssd.conf.5.xml:337
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:320
+#: sssd.conf.5.xml:340
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -526,17 +552,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:326 sssd-krb5.5.xml:223
+#: sssd.conf.5.xml:346 sssd-krb5.5.xml:223
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:331
+#: sssd.conf.5.xml:351
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:334
+#: sssd.conf.5.xml:354
 msgid ""
 "Exclude certain users from being fetched from the sss NSS database. This is "
 "particularly useful for system accounts. This option can also be set per-"
@@ -545,78 +571,78 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:341
+#: sssd.conf.5.xml:361
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:346
+#: sssd.conf.5.xml:366
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:369
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:358
+#: sssd.conf.5.xml:378
 msgid "override_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:367 sssd-krb5.5.xml:166
+#: sssd.conf.5.xml:387 sssd-krb5.5.xml:166
 msgid "%u"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:368 sssd-krb5.5.xml:167
+#: sssd.conf.5.xml:388 sssd-krb5.5.xml:167
 msgid "login name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:371 sssd-krb5.5.xml:170
+#: sssd.conf.5.xml:391 sssd-krb5.5.xml:170
 msgid "%U"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:392
 msgid "UID number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:375 sssd-krb5.5.xml:188
+#: sssd.conf.5.xml:395 sssd-krb5.5.xml:188
 msgid "%d"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:376
+#: sssd.conf.5.xml:396
 msgid "domain name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:379
+#: sssd.conf.5.xml:399
 msgid "%f"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:380
+#: sssd.conf.5.xml:400
 msgid "fully qualified user name (user@domain)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:383 sssd-krb5.5.xml:200
+#: sssd.conf.5.xml:403 sssd-krb5.5.xml:200
 msgid "%%"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:384 sssd-krb5.5.xml:201
+#: sssd.conf.5.xml:404 sssd-krb5.5.xml:201
 msgid "a literal '%'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:361
+#: sssd.conf.5.xml:381
 msgid ""
 "Override the user's home directory. You can either provide an absolute value "
 "or a template. In the template, the following sequences are substituted: "
@@ -624,138 +650,138 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:390
+#: sssd.conf.5.xml:410
 msgid "This option can also be set per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:395
+#: sssd.conf.5.xml:415
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:398
+#: sssd.conf.5.xml:418
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:401
+#: sssd.conf.5.xml:421
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:405
+#: sssd.conf.5.xml:425
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:410
+#: sssd.conf.5.xml:430
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:415
+#: sssd.conf.5.xml:435
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:418
+#: sssd.conf.5.xml:438
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:422
+#: sssd.conf.5.xml:442
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:427
+#: sssd.conf.5.xml:447
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:430
+#: sssd.conf.5.xml:450
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:435
+#: sssd.conf.5.xml:455
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:438
+#: sssd.conf.5.xml:458
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:442
+#: sssd.conf.5.xml:462
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:469
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:451
+#: sssd.conf.5.xml:471
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:456
+#: sssd.conf.5.xml:476
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:459
+#: sssd.conf.5.xml:479
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:464 sssd.conf.5.xml:477
+#: sssd.conf.5.xml:484 sssd.conf.5.xml:497
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:490
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:473
+#: sssd.conf.5.xml:493
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:483
+#: sssd.conf.5.xml:503
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:506
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:491
+#: sssd.conf.5.xml:511
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -763,59 +789,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:497 sssd.conf.5.xml:550 sssd.conf.5.xml:882
+#: sssd.conf.5.xml:517 sssd.conf.5.xml:570 sssd.conf.5.xml:906
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:523
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:506
+#: sssd.conf.5.xml:526
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:511
+#: sssd.conf.5.xml:531
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:514
+#: sssd.conf.5.xml:534
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:517
+#: sssd.conf.5.xml:537
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:541
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:524
+#: sssd.conf.5.xml:544
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:528
+#: sssd.conf.5.xml:548
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:533
+#: sssd.conf.5.xml:553
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:536
+#: sssd.conf.5.xml:556
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -823,7 +849,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:542
+#: sssd.conf.5.xml:562
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -832,17 +858,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:556
+#: sssd.conf.5.xml:576
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:559
+#: sssd.conf.5.xml:579
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:562
+#: sssd.conf.5.xml:582
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -850,29 +876,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:588
 msgid "Default: 7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:577
+#: sssd.conf.5.xml:597
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:584
+#: sssd.conf.5.xml:604
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:587
+#: sssd.conf.5.xml:607
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:592
+#: sssd.conf.5.xml:612
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -881,56 +907,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:599
+#: sssd.conf.5.xml:619
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:625
 msgid "timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:608
+#: sssd.conf.5.xml:628
 msgid ""
 "Timeout in seconds between heartbeats for this domain.  This is used to "
 "ensure that the backend process is alive and capable of answering requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:633
 msgid "Default: 10"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:639
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:642
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:626
+#: sssd.conf.5.xml:646
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:629
+#: sssd.conf.5.xml:649
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:632 sssd.conf.5.xml:680 sssd.conf.5.xml:734
+#: sssd.conf.5.xml:652 sssd.conf.5.xml:704 sssd.conf.5.xml:758
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:635
+#: sssd.conf.5.xml:655
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -940,14 +966,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:645
+#: sssd.conf.5.xml:665
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:650
+#: sssd.conf.5.xml:670
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -956,39 +982,44 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:661
+#: sssd.conf.5.xml:681
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:664
+#: sssd.conf.5.xml:684
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:688
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:693
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676
+#: sssd.conf.5.xml:696
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:700
+msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:685
+#: sssd.conf.5.xml:709
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:688
+#: sssd.conf.5.xml:712
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -997,47 +1028,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:695
+#: sssd.conf.5.xml:719
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:725
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:728
 msgid "The Data Provider identity backend to use for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:708
+#: sssd.conf.5.xml:732
 msgid "Supported backends:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:711
+#: sssd.conf.5.xml:735
 msgid "proxy: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:714
+#: sssd.conf.5.xml:738
 msgid "local: SSSD internal local provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:717
+#: sssd.conf.5.xml:741
 msgid "ldap: LDAP provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:747
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:750
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -1046,19 +1077,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:739
+#: sssd.conf.5.xml:763
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:766
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:746
+#: sssd.conf.5.xml:770
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1066,7 +1097,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:777
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1074,30 +1105,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:784
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:787
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:766
+#: sssd.conf.5.xml:790
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:796
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:775
+#: sssd.conf.5.xml:799
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -1105,17 +1136,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:781
+#: sssd.conf.5.xml:805
 msgid "<quote>permit</quote> always allow access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:784
+#: sssd.conf.5.xml:808
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:811
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -1124,24 +1155,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:818
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:823
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:826
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:831
 msgid ""
 "<quote>ipa</quote> to change a password stored in an IPA server.  See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -1149,7 +1180,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:815
+#: sssd.conf.5.xml:839
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -1157,7 +1188,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:823
+#: sssd.conf.5.xml:847
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1165,72 +1196,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:831
+#: sssd.conf.5.xml:855
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:835
+#: sssd.conf.5.xml:859
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838
+#: sssd.conf.5.xml:862
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:845
+#: sssd.conf.5.xml:869
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:848
+#: sssd.conf.5.xml:872
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:876
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:855
+#: sssd.conf.5.xml:879
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:858
+#: sssd.conf.5.xml:882
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:861
+#: sssd.conf.5.xml:885
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:864
+#: sssd.conf.5.xml:888
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:867
+#: sssd.conf.5.xml:891
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:873
+#: sssd.conf.5.xml:897
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:876
+#: sssd.conf.5.xml:900
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -1238,34 +1269,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:912
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:891
+#: sssd.conf.5.xml:915
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:919
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:901
+#: sssd.conf.5.xml:925
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:904
+#: sssd.conf.5.xml:928
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:579
+#: sssd.conf.5.xml:599
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -1273,29 +1304,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:940
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:943
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:922
+#: sssd.conf.5.xml:946
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:954
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:933
+#: sssd.conf.5.xml:957
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -1303,19 +1334,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:912
+#: sssd.conf.5.xml:936
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:945
+#: sssd.conf.5.xml:969
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:971
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -1323,73 +1354,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:954
+#: sssd.conf.5.xml:978
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:981
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:985
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:966
+#: sssd.conf.5.xml:990
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:969
+#: sssd.conf.5.xml:993
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974
+#: sssd.conf.5.xml:998
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1003
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1006
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986 sssd.conf.5.xml:998
+#: sssd.conf.5.xml:1010 sssd.conf.5.xml:1022
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:991
+#: sssd.conf.5.xml:1015
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:994
+#: sssd.conf.5.xml:1018
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1003
+#: sssd.conf.5.xml:1027
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1030
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -1397,17 +1428,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014
+#: sssd.conf.5.xml:1038
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1043
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1022
+#: sssd.conf.5.xml:1046
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -1416,17 +1447,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:1056
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1037
+#: sssd.conf.5.xml:1061
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1040
+#: sssd.conf.5.xml:1064
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -1434,17 +1465,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1047
+#: sssd.conf.5.xml:1071
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1076
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1055
+#: sssd.conf.5.xml:1079
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -1452,18 +1483,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1061
+#: sssd.conf.5.xml:1085
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1071 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
-#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:405
+#: sssd.conf.5.xml:1095 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
+#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:408
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:1077
+#: sssd.conf.5.xml:1101
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -1493,7 +1524,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1073
+#: sssd.conf.5.xml:1097
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -1502,7 +1533,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1108
+#: sssd.conf.5.xml:1132
 msgid ""
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
@@ -1602,10 +1633,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:88
 msgid ""
-"Specifies the list of URIs of the LDAP servers to which SSSD should connect "
-"in the order of preference to change the password of a user. Refer to the "
-"<quote>FAILOVER</quote> section for more information on failover and server "
-"redundancy."
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference to change the password of a user. "
+"Refer to the <quote>FAILOVER</quote> section for more information on "
+"failover and server redundancy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -2085,7 +2116,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:519 sssd-ldap.5.xml:990 sssd-ipa.5.xml:115 sssd.8.xml:64
-#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:266
+#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:269
 msgid "Default: false"
 msgstr ""
 
@@ -2526,7 +2557,7 @@ msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:356
+#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:359
 msgid "Default: not set"
 msgstr ""
 
@@ -2667,12 +2698,13 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:1080 sssd-krb5.5.xml:77
 msgid ""
-"Specifies the list of IP addresses or hostnames of the Kerberos servers to "
-"which SSSD should connect in the order of preference. For more information "
-"on failover and server redundancy, see the <quote>FAILOVER</quote> section. "
-"An optional port number (preceded by a colon) may be appended to the "
-"addresses or hostnames.  If empty, service discovery is enabled - for more "
-"information, refer to the <quote>SERVICE DISCOVERY</quote> section."
+"Specifies the comma-separated list of IP addresses or hostnames of the "
+"Kerberos servers to which SSSD should connect in the order of preference. "
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
+"colon) may be appended to the addresses or hostnames.  If empty, service "
+"discovery is enabled - for more information, refer to the <quote>SERVICE "
+"DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -3057,7 +3089,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ldap.5.xml:1407 sssd-simple.5.xml:134 sssd-ipa.5.xml:238
-#: sssd-krb5.5.xml:414
+#: sssd-krb5.5.xml:417
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -3104,7 +3136,8 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
 #: pam_sss.8.xml:24
 msgid ""
-"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>forward_pass</"
+"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
@@ -3112,7 +3145,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:42
+#: pam_sss.8.xml:45
 msgid ""
 "<command>pam_sss.so</command> is the PAM interface to the System Security "
 "Services daemon (SSSD). Errors and results are logged through <command>syslog"
@@ -3120,24 +3153,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:52
+#: pam_sss.8.xml:55
+msgid "<option>quiet</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:58
+msgid "Suppress log messages for unknown users."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:63
 msgid "<option>forward_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:55
+#: pam_sss.8.xml:66
 msgid ""
 "If <option>forward_pass</option> is set the entered password is put on the "
 "stack for other PAM modules to use."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:62
+#: pam_sss.8.xml:73
 msgid "<option>use_first_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:65
+#: pam_sss.8.xml:76
 msgid ""
 "The argument use_first_pass forces the module to use a previous stacked "
 "modules password and will never prompt the user - if no password is "
@@ -3145,31 +3188,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:73
+#: pam_sss.8.xml:84
 msgid "<option>use_authtok</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:76
+#: pam_sss.8.xml:87
 msgid ""
 "When password changing enforce the module to set the new password to the one "
 "provided by a previously stacked password module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:83
+#: pam_sss.8.xml:94
 msgid "<option>retry=N</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:86
+#: pam_sss.8.xml:97
 msgid ""
 "If specified the user is asked another N times for a password if "
 "authentication fails. Default is 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:88
+#: pam_sss.8.xml:99
 msgid ""
 "Please note that this option might not work as expected if the application "
 "calling PAM handles the user dialog on its own. A typical example is "
@@ -3177,24 +3220,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:99
+#: pam_sss.8.xml:110
 msgid "MODULE TYPES PROVIDED"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:100
+#: pam_sss.8.xml:111
 msgid ""
 "All module types (<option>account</option>, <option>auth</option>, "
 "<option>password</option> and <option>session</option>) are provided."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:106
+#: pam_sss.8.xml:117
 msgid "FILES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:107
+#: pam_sss.8.xml:118
 msgid ""
 "If a password reset by root fails, because the corresponding SSSD provider "
 "does not support password resets, an individual message can be displayed. "
@@ -3202,7 +3245,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:112
+#: pam_sss.8.xml:123
 msgid ""
 "The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
 "filename> where LOC stands for a locale string returned by <citerefentry> "
@@ -3214,7 +3257,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:122
+#: pam_sss.8.xml:133
 msgid ""
 "These files are searched in the directory <filename>/etc/sssd/customize/"
 "DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
@@ -3222,7 +3265,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:130
+#: pam_sss.8.xml:141
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>8</"
 "manvolnum> </citerefentry>"
@@ -3482,11 +3525,11 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ipa.5.xml:83
 msgid ""
-"The list of IP addresses or hostnames of the IPA servers to which SSSD "
-"should connect in the order of preference. For more information on failover "
-"and server redundancy, see the <quote>FAILOVER</quote> section.  This is "
-"optional if autodiscovery is enabled.  For more information on service "
-"discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
+"The comma-separated list of IP addresses or hostnames of the IPA servers to "
+"which SSSD should connect in the order of preference. For more information "
+"on failover and server redundancy, see the <quote>FAILOVER</quote> section.  "
+"This is optional if autodiscovery is enabled.  For more information on "
+"service discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
@@ -4302,48 +4345,50 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:262
 msgid ""
-"Please note that this feature currently only available on a Linux platform."
+"Please note that this feature currently only available on a Linux platform. "
+"Passwords stored in this way are kept in plaintext in the kernel keyring and "
+"are potentially accessible by the root user (with difficulty)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:272
+#: sssd-krb5.5.xml:275
 msgid "krb5_renewable_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:275
+#: sssd-krb5.5.xml:278
 msgid ""
 "Request a renewable ticket with a total lifetime given by an integer "
 "immediately followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:280 sssd-krb5.5.xml:316
+#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
 msgid "<emphasis>s</emphasis> seconds"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
+#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
 msgid "<emphasis>m</emphasis> minutes"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
+#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
 msgid "<emphasis>h</emphasis> hours"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
+#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
 msgid "<emphasis>d</emphasis> days."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
+#: sssd-krb5.5.xml:295 sssd-krb5.5.xml:331
 msgid "If there is no delimiter <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:296
+#: sssd-krb5.5.xml:299
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "renewable lifetime to one and a half hours please use '90m' instead of "
@@ -4351,97 +4396,97 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:302
+#: sssd-krb5.5.xml:305
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:308
+#: sssd-krb5.5.xml:311
 msgid "krb5_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:311
+#: sssd-krb5.5.xml:314
 msgid ""
 "Request ticket with a with a lifetime given by an integer immediately "
 "followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:332
+#: sssd-krb5.5.xml:335
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "lifetime to one and a half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:337
+#: sssd-krb5.5.xml:340
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:344
+#: sssd-krb5.5.xml:347
 msgid "krb5_renew_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:347
+#: sssd-krb5.5.xml:350
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:352
+#: sssd-krb5.5.xml:355
 msgid "If this option is not set or 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:362
+#: sssd-krb5.5.xml:365
 msgid "krb5_use_fast (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:365
+#: sssd-krb5.5.xml:368
 msgid ""
 "Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
 "authentication. The following options are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:370
+#: sssd-krb5.5.xml:373
 msgid ""
 "<emphasis>never</emphasis> use FAST, this is equivalent to not set this "
 "option at all."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:374
+#: sssd-krb5.5.xml:377
 msgid ""
 "<emphasis>try</emphasis> to use FAST, if the server does not support fast "
 "continue without."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:378
+#: sssd-krb5.5.xml:381
 msgid ""
 "<emphasis>demand</emphasis> to use FAST, fail if the server does not require "
 "fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:382
+#: sssd-krb5.5.xml:385
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:385
+#: sssd-krb5.5.xml:388
 msgid "Please note that a keytab is required to use fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:388
+#: sssd-krb5.5.xml:391
 msgid ""
 "Please note also that sssd supports fast only with MIT Kerberos version 1.8 "
 "and above. If sssd used used with an older version using this option is a "
@@ -4459,7 +4504,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:407
+#: sssd-krb5.5.xml:410
 msgid ""
 "The following example assumes that SSSD is correctly configured and FOO is "
 "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
@@ -4468,7 +4513,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-krb5.5.xml:415
+#: sssd-krb5.5.xml:418
 #, no-wrap
 msgid ""
 "    [domain/FOO]\n"
@@ -4478,7 +4523,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:426
+#: sssd-krb5.5.xml:429
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
diff --git a/src/man/po/ja.po b/src/man/po/ja.po
index 03d996b1..963a52e8 100644
--- a/src/man/po/ja.po
+++ b/src/man/po/ja.po
@@ -6,7 +6,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: SSSD\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2011-08-29 10:42-0300\n"
+"POT-Creation-Date: 2011-10-18 13:34-0300\n"
 "PO-Revision-Date: 2011-05-27 20:01+0000\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Japanese (http://www.transifex.net/projects/p/fedora/team/"
@@ -53,7 +53,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:41
+#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:44
 #: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21
 #: sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_useradd.8.xml:30
 #: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30
@@ -69,7 +69,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:39 pam_sss.8.xml:48 sssd.8.xml:42 sss_obfuscate.8.xml:58
+#: sss_groupmod.8.xml:39 pam_sss.8.xml:51 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
 msgid "OPTIONS"
@@ -105,10 +105,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1106 sssd-ldap.5.xml:1432
-#: pam_sss.8.xml:128 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
+#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1130 sssd-ldap.5.xml:1432
+#: pam_sss.8.xml:139 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
 #: sssd-ipa.5.xml:248 sssd.8.xml:166 sss_obfuscate.8.xml:103
-#: sss_useradd.8.xml:167 sssd-krb5.5.xml:424 sss_groupadd.8.xml:58
+#: sss_useradd.8.xml:167 sssd-krb5.5.xml:427 sss_groupadd.8.xml:58
 #: sss_userdel.8.xml:93 sss_groupdel.8.xml:46 sss_groupshow.8.xml:58
 #: sss_usermod.8.xml:138
 msgid "SEE ALSO"
@@ -214,7 +214,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:70 sssd.conf.5.xml:952
+#: sssd.conf.5.xml:70 sssd.conf.5.xml:976
 msgid "Section parameters"
 msgstr ""
 
@@ -247,19 +247,19 @@ msgid "Supported services: nss, pam"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:93 sssd.conf.5.xml:234
+#: sssd.conf.5.xml:93 sssd.conf.5.xml:254
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:96 sssd.conf.5.xml:237
+#: sssd.conf.5.xml:96 sssd.conf.5.xml:257
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:101 sssd.conf.5.xml:242
+#: sssd.conf.5.xml:101 sssd.conf.5.xml:262
 msgid "Default: 3"
 msgstr ""
 
@@ -366,6 +366,32 @@ msgid ""
 "unavailable. On these platforms, polling will always be used."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:189
+msgid "krb5_rcache_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:192
+msgid ""
+"Directory on the filesystem where SSSD should store Kerberos replay cache "
+"files."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:196
+msgid ""
+"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
+"SSSD to let libkrb5 decide the appropriate location for the replay cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:202
+msgid ""
+"Default: Distribution-specific and specified at build-time. "
+"(__LIBKRB5_DEFAULTS__ if not configured)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:63
 msgid ""
@@ -378,12 +404,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:195
+#: sssd.conf.5.xml:215
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:197
+#: sssd.conf.5.xml:217
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -392,55 +418,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:204
+#: sssd.conf.5.xml:224
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:206
+#: sssd.conf.5.xml:226
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:210
+#: sssd.conf.5.xml:230
 msgid "debug_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:213
+#: sssd.conf.5.xml:233
 msgid ""
 "Sets the debug level for the service. The value can be in range from 0 (only "
 "critical messages) to 10 (very verbose)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:218 sssd.conf.5.xml:312
+#: sssd.conf.5.xml:238 sssd.conf.5.xml:332
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:223 sssd.8.xml:58
+#: sssd.conf.5.xml:243 sssd.8.xml:58
 msgid "debug_timestamps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:226 sssd.8.xml:61
+#: sssd.conf.5.xml:246 sssd.8.xml:61
 msgid "Add a timestamp to the debug messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:229 sssd.conf.5.xml:353 sssd-ldap.5.xml:1058
+#: sssd.conf.5.xml:249 sssd.conf.5.xml:373 sssd-ldap.5.xml:1058
 #: sssd-ldap.5.xml:1163 sssd-ipa.5.xml:155
 msgid "Default: true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:247
+#: sssd.conf.5.xml:267
 msgid "command (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:250
+#: sssd.conf.5.xml:270
 msgid ""
 "By default, the executable representing this service is called <command>sssd_"
 "${service_name}</command>.  This directive allows to change the executable "
@@ -449,45 +475,45 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:258
+#: sssd.conf.5.xml:278
 msgid "Default: <command>sssd_${service_name}</command>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:266
+#: sssd.conf.5.xml:286
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:268
+#: sssd.conf.5.xml:288
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:273
+#: sssd.conf.5.xml:293
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:276
+#: sssd.conf.5.xml:296
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:280
+#: sssd.conf.5.xml:300
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:285
+#: sssd.conf.5.xml:305
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:288
+#: sssd.conf.5.xml:308
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -495,7 +521,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:294
+#: sssd.conf.5.xml:314
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -505,7 +531,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304
+#: sssd.conf.5.xml:324
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -514,12 +540,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:317
+#: sssd.conf.5.xml:337
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:320
+#: sssd.conf.5.xml:340
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -527,17 +553,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:326 sssd-krb5.5.xml:223
+#: sssd.conf.5.xml:346 sssd-krb5.5.xml:223
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:331
+#: sssd.conf.5.xml:351
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:334
+#: sssd.conf.5.xml:354
 msgid ""
 "Exclude certain users from being fetched from the sss NSS database. This is "
 "particularly useful for system accounts. This option can also be set per-"
@@ -546,78 +572,78 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:341
+#: sssd.conf.5.xml:361
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:346
+#: sssd.conf.5.xml:366
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:369
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:358
+#: sssd.conf.5.xml:378
 msgid "override_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:367 sssd-krb5.5.xml:166
+#: sssd.conf.5.xml:387 sssd-krb5.5.xml:166
 msgid "%u"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:368 sssd-krb5.5.xml:167
+#: sssd.conf.5.xml:388 sssd-krb5.5.xml:167
 msgid "login name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:371 sssd-krb5.5.xml:170
+#: sssd.conf.5.xml:391 sssd-krb5.5.xml:170
 msgid "%U"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:392
 msgid "UID number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:375 sssd-krb5.5.xml:188
+#: sssd.conf.5.xml:395 sssd-krb5.5.xml:188
 msgid "%d"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:376
+#: sssd.conf.5.xml:396
 msgid "domain name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:379
+#: sssd.conf.5.xml:399
 msgid "%f"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:380
+#: sssd.conf.5.xml:400
 msgid "fully qualified user name (user@domain)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:383 sssd-krb5.5.xml:200
+#: sssd.conf.5.xml:403 sssd-krb5.5.xml:200
 msgid "%%"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:384 sssd-krb5.5.xml:201
+#: sssd.conf.5.xml:404 sssd-krb5.5.xml:201
 msgid "a literal '%'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:361
+#: sssd.conf.5.xml:381
 msgid ""
 "Override the user's home directory. You can either provide an absolute value "
 "or a template. In the template, the following sequences are substituted: "
@@ -625,138 +651,138 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:390
+#: sssd.conf.5.xml:410
 msgid "This option can also be set per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:395
+#: sssd.conf.5.xml:415
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:398
+#: sssd.conf.5.xml:418
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:401
+#: sssd.conf.5.xml:421
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:405
+#: sssd.conf.5.xml:425
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:410
+#: sssd.conf.5.xml:430
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:415
+#: sssd.conf.5.xml:435
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:418
+#: sssd.conf.5.xml:438
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:422
+#: sssd.conf.5.xml:442
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:427
+#: sssd.conf.5.xml:447
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:430
+#: sssd.conf.5.xml:450
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:435
+#: sssd.conf.5.xml:455
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:438
+#: sssd.conf.5.xml:458
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:442
+#: sssd.conf.5.xml:462
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:469
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:451
+#: sssd.conf.5.xml:471
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:456
+#: sssd.conf.5.xml:476
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:459
+#: sssd.conf.5.xml:479
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:464 sssd.conf.5.xml:477
+#: sssd.conf.5.xml:484 sssd.conf.5.xml:497
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:490
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:473
+#: sssd.conf.5.xml:493
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:483
+#: sssd.conf.5.xml:503
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:506
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:491
+#: sssd.conf.5.xml:511
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -764,59 +790,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:497 sssd.conf.5.xml:550 sssd.conf.5.xml:882
+#: sssd.conf.5.xml:517 sssd.conf.5.xml:570 sssd.conf.5.xml:906
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:523
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:506
+#: sssd.conf.5.xml:526
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:511
+#: sssd.conf.5.xml:531
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:514
+#: sssd.conf.5.xml:534
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:517
+#: sssd.conf.5.xml:537
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:541
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:524
+#: sssd.conf.5.xml:544
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:528
+#: sssd.conf.5.xml:548
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:533
+#: sssd.conf.5.xml:553
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:536
+#: sssd.conf.5.xml:556
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -824,7 +850,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:542
+#: sssd.conf.5.xml:562
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -833,17 +859,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:556
+#: sssd.conf.5.xml:576
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:559
+#: sssd.conf.5.xml:579
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:562
+#: sssd.conf.5.xml:582
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -851,29 +877,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:588
 msgid "Default: 7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:577
+#: sssd.conf.5.xml:597
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:584
+#: sssd.conf.5.xml:604
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:587
+#: sssd.conf.5.xml:607
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:592
+#: sssd.conf.5.xml:612
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -882,56 +908,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:599
+#: sssd.conf.5.xml:619
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:625
 msgid "timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:608
+#: sssd.conf.5.xml:628
 msgid ""
 "Timeout in seconds between heartbeats for this domain.  This is used to "
 "ensure that the backend process is alive and capable of answering requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:633
 msgid "Default: 10"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:639
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:642
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:626
+#: sssd.conf.5.xml:646
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:629
+#: sssd.conf.5.xml:649
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:632 sssd.conf.5.xml:680 sssd.conf.5.xml:734
+#: sssd.conf.5.xml:652 sssd.conf.5.xml:704 sssd.conf.5.xml:758
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:635
+#: sssd.conf.5.xml:655
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -941,14 +967,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:645
+#: sssd.conf.5.xml:665
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:650
+#: sssd.conf.5.xml:670
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -957,39 +983,44 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:661
+#: sssd.conf.5.xml:681
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:664
+#: sssd.conf.5.xml:684
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:688
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:693
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676
+#: sssd.conf.5.xml:696
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:700
+msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:685
+#: sssd.conf.5.xml:709
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:688
+#: sssd.conf.5.xml:712
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -998,47 +1029,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:695
+#: sssd.conf.5.xml:719
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:725
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:728
 msgid "The Data Provider identity backend to use for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:708
+#: sssd.conf.5.xml:732
 msgid "Supported backends:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:711
+#: sssd.conf.5.xml:735
 msgid "proxy: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:714
+#: sssd.conf.5.xml:738
 msgid "local: SSSD internal local provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:717
+#: sssd.conf.5.xml:741
 msgid "ldap: LDAP provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:747
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:750
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -1047,19 +1078,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:739
+#: sssd.conf.5.xml:763
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:766
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:746
+#: sssd.conf.5.xml:770
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1067,7 +1098,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:777
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1075,30 +1106,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:784
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:787
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:766
+#: sssd.conf.5.xml:790
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:796
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:775
+#: sssd.conf.5.xml:799
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -1106,17 +1137,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:781
+#: sssd.conf.5.xml:805
 msgid "<quote>permit</quote> always allow access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:784
+#: sssd.conf.5.xml:808
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:811
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -1125,24 +1156,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:818
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:823
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:826
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:831
 msgid ""
 "<quote>ipa</quote> to change a password stored in an IPA server.  See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -1150,7 +1181,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:815
+#: sssd.conf.5.xml:839
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -1158,7 +1189,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:823
+#: sssd.conf.5.xml:847
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1166,72 +1197,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:831
+#: sssd.conf.5.xml:855
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:835
+#: sssd.conf.5.xml:859
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838
+#: sssd.conf.5.xml:862
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:845
+#: sssd.conf.5.xml:869
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:848
+#: sssd.conf.5.xml:872
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:876
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:855
+#: sssd.conf.5.xml:879
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:858
+#: sssd.conf.5.xml:882
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:861
+#: sssd.conf.5.xml:885
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:864
+#: sssd.conf.5.xml:888
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:867
+#: sssd.conf.5.xml:891
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:873
+#: sssd.conf.5.xml:897
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:876
+#: sssd.conf.5.xml:900
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -1239,34 +1270,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:912
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:891
+#: sssd.conf.5.xml:915
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:919
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:901
+#: sssd.conf.5.xml:925
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:904
+#: sssd.conf.5.xml:928
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:579
+#: sssd.conf.5.xml:599
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -1274,29 +1305,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:940
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:943
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:922
+#: sssd.conf.5.xml:946
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:954
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:933
+#: sssd.conf.5.xml:957
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -1304,19 +1335,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:912
+#: sssd.conf.5.xml:936
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:945
+#: sssd.conf.5.xml:969
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:971
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -1324,73 +1355,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:954
+#: sssd.conf.5.xml:978
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:981
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:985
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:966
+#: sssd.conf.5.xml:990
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:969
+#: sssd.conf.5.xml:993
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974
+#: sssd.conf.5.xml:998
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1003
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1006
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986 sssd.conf.5.xml:998
+#: sssd.conf.5.xml:1010 sssd.conf.5.xml:1022
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:991
+#: sssd.conf.5.xml:1015
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:994
+#: sssd.conf.5.xml:1018
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1003
+#: sssd.conf.5.xml:1027
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1030
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -1398,17 +1429,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014
+#: sssd.conf.5.xml:1038
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1043
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1022
+#: sssd.conf.5.xml:1046
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -1417,17 +1448,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:1056
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1037
+#: sssd.conf.5.xml:1061
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1040
+#: sssd.conf.5.xml:1064
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -1435,17 +1466,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1047
+#: sssd.conf.5.xml:1071
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1076
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1055
+#: sssd.conf.5.xml:1079
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -1453,18 +1484,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1061
+#: sssd.conf.5.xml:1085
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1071 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
-#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:405
+#: sssd.conf.5.xml:1095 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
+#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:408
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:1077
+#: sssd.conf.5.xml:1101
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -1494,7 +1525,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1073
+#: sssd.conf.5.xml:1097
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -1503,7 +1534,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1108
+#: sssd.conf.5.xml:1132
 msgid ""
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
@@ -1603,10 +1634,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:88
 msgid ""
-"Specifies the list of URIs of the LDAP servers to which SSSD should connect "
-"in the order of preference to change the password of a user. Refer to the "
-"<quote>FAILOVER</quote> section for more information on failover and server "
-"redundancy."
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference to change the password of a user. "
+"Refer to the <quote>FAILOVER</quote> section for more information on "
+"failover and server redundancy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -2086,7 +2117,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:519 sssd-ldap.5.xml:990 sssd-ipa.5.xml:115 sssd.8.xml:64
-#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:266
+#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:269
 msgid "Default: false"
 msgstr ""
 
@@ -2527,7 +2558,7 @@ msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:356
+#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:359
 msgid "Default: not set"
 msgstr ""
 
@@ -2668,12 +2699,13 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:1080 sssd-krb5.5.xml:77
 msgid ""
-"Specifies the list of IP addresses or hostnames of the Kerberos servers to "
-"which SSSD should connect in the order of preference. For more information "
-"on failover and server redundancy, see the <quote>FAILOVER</quote> section. "
-"An optional port number (preceded by a colon) may be appended to the "
-"addresses or hostnames.  If empty, service discovery is enabled - for more "
-"information, refer to the <quote>SERVICE DISCOVERY</quote> section."
+"Specifies the comma-separated list of IP addresses or hostnames of the "
+"Kerberos servers to which SSSD should connect in the order of preference. "
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
+"colon) may be appended to the addresses or hostnames.  If empty, service "
+"discovery is enabled - for more information, refer to the <quote>SERVICE "
+"DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -3058,7 +3090,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ldap.5.xml:1407 sssd-simple.5.xml:134 sssd-ipa.5.xml:238
-#: sssd-krb5.5.xml:414
+#: sssd-krb5.5.xml:417
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -3105,7 +3137,8 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
 #: pam_sss.8.xml:24
 msgid ""
-"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>forward_pass</"
+"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
@@ -3113,7 +3146,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:42
+#: pam_sss.8.xml:45
 msgid ""
 "<command>pam_sss.so</command> is the PAM interface to the System Security "
 "Services daemon (SSSD). Errors and results are logged through <command>syslog"
@@ -3121,24 +3154,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:52
+#: pam_sss.8.xml:55
+msgid "<option>quiet</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:58
+msgid "Suppress log messages for unknown users."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:63
 msgid "<option>forward_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:55
+#: pam_sss.8.xml:66
 msgid ""
 "If <option>forward_pass</option> is set the entered password is put on the "
 "stack for other PAM modules to use."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:62
+#: pam_sss.8.xml:73
 msgid "<option>use_first_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:65
+#: pam_sss.8.xml:76
 msgid ""
 "The argument use_first_pass forces the module to use a previous stacked "
 "modules password and will never prompt the user - if no password is "
@@ -3146,31 +3189,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:73
+#: pam_sss.8.xml:84
 msgid "<option>use_authtok</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:76
+#: pam_sss.8.xml:87
 msgid ""
 "When password changing enforce the module to set the new password to the one "
 "provided by a previously stacked password module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:83
+#: pam_sss.8.xml:94
 msgid "<option>retry=N</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:86
+#: pam_sss.8.xml:97
 msgid ""
 "If specified the user is asked another N times for a password if "
 "authentication fails. Default is 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:88
+#: pam_sss.8.xml:99
 msgid ""
 "Please note that this option might not work as expected if the application "
 "calling PAM handles the user dialog on its own. A typical example is "
@@ -3178,24 +3221,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:99
+#: pam_sss.8.xml:110
 msgid "MODULE TYPES PROVIDED"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:100
+#: pam_sss.8.xml:111
 msgid ""
 "All module types (<option>account</option>, <option>auth</option>, "
 "<option>password</option> and <option>session</option>) are provided."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:106
+#: pam_sss.8.xml:117
 msgid "FILES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:107
+#: pam_sss.8.xml:118
 msgid ""
 "If a password reset by root fails, because the corresponding SSSD provider "
 "does not support password resets, an individual message can be displayed. "
@@ -3203,7 +3246,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:112
+#: pam_sss.8.xml:123
 msgid ""
 "The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
 "filename> where LOC stands for a locale string returned by <citerefentry> "
@@ -3215,7 +3258,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:122
+#: pam_sss.8.xml:133
 msgid ""
 "These files are searched in the directory <filename>/etc/sssd/customize/"
 "DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
@@ -3223,7 +3266,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:130
+#: pam_sss.8.xml:141
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>8</"
 "manvolnum> </citerefentry>"
@@ -3483,11 +3526,11 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ipa.5.xml:83
 msgid ""
-"The list of IP addresses or hostnames of the IPA servers to which SSSD "
-"should connect in the order of preference. For more information on failover "
-"and server redundancy, see the <quote>FAILOVER</quote> section.  This is "
-"optional if autodiscovery is enabled.  For more information on service "
-"discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
+"The comma-separated list of IP addresses or hostnames of the IPA servers to "
+"which SSSD should connect in the order of preference. For more information "
+"on failover and server redundancy, see the <quote>FAILOVER</quote> section.  "
+"This is optional if autodiscovery is enabled.  For more information on "
+"service discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
@@ -4303,48 +4346,50 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:262
 msgid ""
-"Please note that this feature currently only available on a Linux platform."
+"Please note that this feature currently only available on a Linux platform. "
+"Passwords stored in this way are kept in plaintext in the kernel keyring and "
+"are potentially accessible by the root user (with difficulty)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:272
+#: sssd-krb5.5.xml:275
 msgid "krb5_renewable_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:275
+#: sssd-krb5.5.xml:278
 msgid ""
 "Request a renewable ticket with a total lifetime given by an integer "
 "immediately followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:280 sssd-krb5.5.xml:316
+#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
 msgid "<emphasis>s</emphasis> seconds"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
+#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
 msgid "<emphasis>m</emphasis> minutes"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
+#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
 msgid "<emphasis>h</emphasis> hours"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
+#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
 msgid "<emphasis>d</emphasis> days."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
+#: sssd-krb5.5.xml:295 sssd-krb5.5.xml:331
 msgid "If there is no delimiter <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:296
+#: sssd-krb5.5.xml:299
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "renewable lifetime to one and a half hours please use '90m' instead of "
@@ -4352,97 +4397,97 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:302
+#: sssd-krb5.5.xml:305
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:308
+#: sssd-krb5.5.xml:311
 msgid "krb5_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:311
+#: sssd-krb5.5.xml:314
 msgid ""
 "Request ticket with a with a lifetime given by an integer immediately "
 "followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:332
+#: sssd-krb5.5.xml:335
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "lifetime to one and a half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:337
+#: sssd-krb5.5.xml:340
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:344
+#: sssd-krb5.5.xml:347
 msgid "krb5_renew_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:347
+#: sssd-krb5.5.xml:350
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:352
+#: sssd-krb5.5.xml:355
 msgid "If this option is not set or 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:362
+#: sssd-krb5.5.xml:365
 msgid "krb5_use_fast (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:365
+#: sssd-krb5.5.xml:368
 msgid ""
 "Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
 "authentication. The following options are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:370
+#: sssd-krb5.5.xml:373
 msgid ""
 "<emphasis>never</emphasis> use FAST, this is equivalent to not set this "
 "option at all."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:374
+#: sssd-krb5.5.xml:377
 msgid ""
 "<emphasis>try</emphasis> to use FAST, if the server does not support fast "
 "continue without."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:378
+#: sssd-krb5.5.xml:381
 msgid ""
 "<emphasis>demand</emphasis> to use FAST, fail if the server does not require "
 "fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:382
+#: sssd-krb5.5.xml:385
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:385
+#: sssd-krb5.5.xml:388
 msgid "Please note that a keytab is required to use fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:388
+#: sssd-krb5.5.xml:391
 msgid ""
 "Please note also that sssd supports fast only with MIT Kerberos version 1.8 "
 "and above. If sssd used used with an older version using this option is a "
@@ -4460,7 +4505,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:407
+#: sssd-krb5.5.xml:410
 msgid ""
 "The following example assumes that SSSD is correctly configured and FOO is "
 "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
@@ -4469,7 +4514,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-krb5.5.xml:415
+#: sssd-krb5.5.xml:418
 #, no-wrap
 msgid ""
 "    [domain/FOO]\n"
@@ -4479,7 +4524,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:426
+#: sssd-krb5.5.xml:429
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
diff --git a/src/man/po/ja_JP.po b/src/man/po/ja_JP.po
index ec3a9827..8cbdf10f 100644
--- a/src/man/po/ja_JP.po
+++ b/src/man/po/ja_JP.po
@@ -6,7 +6,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: SSSD\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2011-08-29 10:42-0300\n"
+"POT-Creation-Date: 2011-10-18 13:34-0300\n"
 "PO-Revision-Date: 2011-05-27 19:59+0000\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Japanese (Japan) (http://www.transifex.net/projects/p/fedora/"
@@ -53,7 +53,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:41
+#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:44
 #: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21
 #: sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_useradd.8.xml:30
 #: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30
@@ -69,7 +69,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:39 pam_sss.8.xml:48 sssd.8.xml:42 sss_obfuscate.8.xml:58
+#: sss_groupmod.8.xml:39 pam_sss.8.xml:51 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
 msgid "OPTIONS"
@@ -105,10 +105,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1106 sssd-ldap.5.xml:1432
-#: pam_sss.8.xml:128 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
+#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1130 sssd-ldap.5.xml:1432
+#: pam_sss.8.xml:139 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
 #: sssd-ipa.5.xml:248 sssd.8.xml:166 sss_obfuscate.8.xml:103
-#: sss_useradd.8.xml:167 sssd-krb5.5.xml:424 sss_groupadd.8.xml:58
+#: sss_useradd.8.xml:167 sssd-krb5.5.xml:427 sss_groupadd.8.xml:58
 #: sss_userdel.8.xml:93 sss_groupdel.8.xml:46 sss_groupshow.8.xml:58
 #: sss_usermod.8.xml:138
 msgid "SEE ALSO"
@@ -214,7 +214,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:70 sssd.conf.5.xml:952
+#: sssd.conf.5.xml:70 sssd.conf.5.xml:976
 msgid "Section parameters"
 msgstr ""
 
@@ -247,19 +247,19 @@ msgid "Supported services: nss, pam"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:93 sssd.conf.5.xml:234
+#: sssd.conf.5.xml:93 sssd.conf.5.xml:254
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:96 sssd.conf.5.xml:237
+#: sssd.conf.5.xml:96 sssd.conf.5.xml:257
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:101 sssd.conf.5.xml:242
+#: sssd.conf.5.xml:101 sssd.conf.5.xml:262
 msgid "Default: 3"
 msgstr ""
 
@@ -366,6 +366,32 @@ msgid ""
 "unavailable. On these platforms, polling will always be used."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:189
+msgid "krb5_rcache_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:192
+msgid ""
+"Directory on the filesystem where SSSD should store Kerberos replay cache "
+"files."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:196
+msgid ""
+"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
+"SSSD to let libkrb5 decide the appropriate location for the replay cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:202
+msgid ""
+"Default: Distribution-specific and specified at build-time. "
+"(__LIBKRB5_DEFAULTS__ if not configured)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:63
 msgid ""
@@ -378,12 +404,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:195
+#: sssd.conf.5.xml:215
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:197
+#: sssd.conf.5.xml:217
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -392,55 +418,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:204
+#: sssd.conf.5.xml:224
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:206
+#: sssd.conf.5.xml:226
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:210
+#: sssd.conf.5.xml:230
 msgid "debug_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:213
+#: sssd.conf.5.xml:233
 msgid ""
 "Sets the debug level for the service. The value can be in range from 0 (only "
 "critical messages) to 10 (very verbose)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:218 sssd.conf.5.xml:312
+#: sssd.conf.5.xml:238 sssd.conf.5.xml:332
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:223 sssd.8.xml:58
+#: sssd.conf.5.xml:243 sssd.8.xml:58
 msgid "debug_timestamps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:226 sssd.8.xml:61
+#: sssd.conf.5.xml:246 sssd.8.xml:61
 msgid "Add a timestamp to the debug messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:229 sssd.conf.5.xml:353 sssd-ldap.5.xml:1058
+#: sssd.conf.5.xml:249 sssd.conf.5.xml:373 sssd-ldap.5.xml:1058
 #: sssd-ldap.5.xml:1163 sssd-ipa.5.xml:155
 msgid "Default: true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:247
+#: sssd.conf.5.xml:267
 msgid "command (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:250
+#: sssd.conf.5.xml:270
 msgid ""
 "By default, the executable representing this service is called <command>sssd_"
 "${service_name}</command>.  This directive allows to change the executable "
@@ -449,45 +475,45 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:258
+#: sssd.conf.5.xml:278
 msgid "Default: <command>sssd_${service_name}</command>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:266
+#: sssd.conf.5.xml:286
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:268
+#: sssd.conf.5.xml:288
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:273
+#: sssd.conf.5.xml:293
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:276
+#: sssd.conf.5.xml:296
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:280
+#: sssd.conf.5.xml:300
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:285
+#: sssd.conf.5.xml:305
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:288
+#: sssd.conf.5.xml:308
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -495,7 +521,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:294
+#: sssd.conf.5.xml:314
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -505,7 +531,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304
+#: sssd.conf.5.xml:324
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -514,12 +540,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:317
+#: sssd.conf.5.xml:337
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:320
+#: sssd.conf.5.xml:340
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -527,17 +553,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:326 sssd-krb5.5.xml:223
+#: sssd.conf.5.xml:346 sssd-krb5.5.xml:223
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:331
+#: sssd.conf.5.xml:351
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:334
+#: sssd.conf.5.xml:354
 msgid ""
 "Exclude certain users from being fetched from the sss NSS database. This is "
 "particularly useful for system accounts. This option can also be set per-"
@@ -546,78 +572,78 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:341
+#: sssd.conf.5.xml:361
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:346
+#: sssd.conf.5.xml:366
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:369
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:358
+#: sssd.conf.5.xml:378
 msgid "override_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:367 sssd-krb5.5.xml:166
+#: sssd.conf.5.xml:387 sssd-krb5.5.xml:166
 msgid "%u"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:368 sssd-krb5.5.xml:167
+#: sssd.conf.5.xml:388 sssd-krb5.5.xml:167
 msgid "login name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:371 sssd-krb5.5.xml:170
+#: sssd.conf.5.xml:391 sssd-krb5.5.xml:170
 msgid "%U"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:392
 msgid "UID number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:375 sssd-krb5.5.xml:188
+#: sssd.conf.5.xml:395 sssd-krb5.5.xml:188
 msgid "%d"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:376
+#: sssd.conf.5.xml:396
 msgid "domain name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:379
+#: sssd.conf.5.xml:399
 msgid "%f"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:380
+#: sssd.conf.5.xml:400
 msgid "fully qualified user name (user@domain)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:383 sssd-krb5.5.xml:200
+#: sssd.conf.5.xml:403 sssd-krb5.5.xml:200
 msgid "%%"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:384 sssd-krb5.5.xml:201
+#: sssd.conf.5.xml:404 sssd-krb5.5.xml:201
 msgid "a literal '%'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:361
+#: sssd.conf.5.xml:381
 msgid ""
 "Override the user's home directory. You can either provide an absolute value "
 "or a template. In the template, the following sequences are substituted: "
@@ -625,138 +651,138 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:390
+#: sssd.conf.5.xml:410
 msgid "This option can also be set per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:395
+#: sssd.conf.5.xml:415
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:398
+#: sssd.conf.5.xml:418
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:401
+#: sssd.conf.5.xml:421
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:405
+#: sssd.conf.5.xml:425
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:410
+#: sssd.conf.5.xml:430
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:415
+#: sssd.conf.5.xml:435
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:418
+#: sssd.conf.5.xml:438
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:422
+#: sssd.conf.5.xml:442
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:427
+#: sssd.conf.5.xml:447
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:430
+#: sssd.conf.5.xml:450
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:435
+#: sssd.conf.5.xml:455
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:438
+#: sssd.conf.5.xml:458
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:442
+#: sssd.conf.5.xml:462
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:469
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:451
+#: sssd.conf.5.xml:471
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:456
+#: sssd.conf.5.xml:476
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:459
+#: sssd.conf.5.xml:479
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:464 sssd.conf.5.xml:477
+#: sssd.conf.5.xml:484 sssd.conf.5.xml:497
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:490
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:473
+#: sssd.conf.5.xml:493
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:483
+#: sssd.conf.5.xml:503
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:506
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:491
+#: sssd.conf.5.xml:511
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -764,59 +790,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:497 sssd.conf.5.xml:550 sssd.conf.5.xml:882
+#: sssd.conf.5.xml:517 sssd.conf.5.xml:570 sssd.conf.5.xml:906
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:523
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:506
+#: sssd.conf.5.xml:526
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:511
+#: sssd.conf.5.xml:531
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:514
+#: sssd.conf.5.xml:534
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:517
+#: sssd.conf.5.xml:537
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:541
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:524
+#: sssd.conf.5.xml:544
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:528
+#: sssd.conf.5.xml:548
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:533
+#: sssd.conf.5.xml:553
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:536
+#: sssd.conf.5.xml:556
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -824,7 +850,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:542
+#: sssd.conf.5.xml:562
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -833,17 +859,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:556
+#: sssd.conf.5.xml:576
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:559
+#: sssd.conf.5.xml:579
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:562
+#: sssd.conf.5.xml:582
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -851,29 +877,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:588
 msgid "Default: 7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:577
+#: sssd.conf.5.xml:597
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:584
+#: sssd.conf.5.xml:604
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:587
+#: sssd.conf.5.xml:607
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:592
+#: sssd.conf.5.xml:612
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -882,56 +908,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:599
+#: sssd.conf.5.xml:619
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:625
 msgid "timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:608
+#: sssd.conf.5.xml:628
 msgid ""
 "Timeout in seconds between heartbeats for this domain.  This is used to "
 "ensure that the backend process is alive and capable of answering requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:633
 msgid "Default: 10"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:639
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:642
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:626
+#: sssd.conf.5.xml:646
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:629
+#: sssd.conf.5.xml:649
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:632 sssd.conf.5.xml:680 sssd.conf.5.xml:734
+#: sssd.conf.5.xml:652 sssd.conf.5.xml:704 sssd.conf.5.xml:758
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:635
+#: sssd.conf.5.xml:655
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -941,14 +967,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:645
+#: sssd.conf.5.xml:665
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:650
+#: sssd.conf.5.xml:670
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -957,39 +983,44 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:661
+#: sssd.conf.5.xml:681
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:664
+#: sssd.conf.5.xml:684
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:688
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:693
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676
+#: sssd.conf.5.xml:696
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:700
+msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:685
+#: sssd.conf.5.xml:709
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:688
+#: sssd.conf.5.xml:712
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -998,47 +1029,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:695
+#: sssd.conf.5.xml:719
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:725
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:728
 msgid "The Data Provider identity backend to use for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:708
+#: sssd.conf.5.xml:732
 msgid "Supported backends:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:711
+#: sssd.conf.5.xml:735
 msgid "proxy: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:714
+#: sssd.conf.5.xml:738
 msgid "local: SSSD internal local provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:717
+#: sssd.conf.5.xml:741
 msgid "ldap: LDAP provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:747
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:750
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -1047,19 +1078,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:739
+#: sssd.conf.5.xml:763
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:766
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:746
+#: sssd.conf.5.xml:770
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1067,7 +1098,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:777
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1075,30 +1106,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:784
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:787
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:766
+#: sssd.conf.5.xml:790
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:796
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:775
+#: sssd.conf.5.xml:799
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -1106,17 +1137,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:781
+#: sssd.conf.5.xml:805
 msgid "<quote>permit</quote> always allow access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:784
+#: sssd.conf.5.xml:808
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:811
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -1125,24 +1156,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:818
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:823
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:826
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:831
 msgid ""
 "<quote>ipa</quote> to change a password stored in an IPA server.  See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -1150,7 +1181,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:815
+#: sssd.conf.5.xml:839
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -1158,7 +1189,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:823
+#: sssd.conf.5.xml:847
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1166,72 +1197,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:831
+#: sssd.conf.5.xml:855
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:835
+#: sssd.conf.5.xml:859
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838
+#: sssd.conf.5.xml:862
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:845
+#: sssd.conf.5.xml:869
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:848
+#: sssd.conf.5.xml:872
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:876
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:855
+#: sssd.conf.5.xml:879
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:858
+#: sssd.conf.5.xml:882
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:861
+#: sssd.conf.5.xml:885
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:864
+#: sssd.conf.5.xml:888
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:867
+#: sssd.conf.5.xml:891
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:873
+#: sssd.conf.5.xml:897
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:876
+#: sssd.conf.5.xml:900
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -1239,34 +1270,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:912
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:891
+#: sssd.conf.5.xml:915
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:919
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:901
+#: sssd.conf.5.xml:925
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:904
+#: sssd.conf.5.xml:928
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:579
+#: sssd.conf.5.xml:599
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -1274,29 +1305,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:940
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:943
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:922
+#: sssd.conf.5.xml:946
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:954
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:933
+#: sssd.conf.5.xml:957
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -1304,19 +1335,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:912
+#: sssd.conf.5.xml:936
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:945
+#: sssd.conf.5.xml:969
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:971
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -1324,73 +1355,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:954
+#: sssd.conf.5.xml:978
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:981
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:985
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:966
+#: sssd.conf.5.xml:990
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:969
+#: sssd.conf.5.xml:993
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974
+#: sssd.conf.5.xml:998
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1003
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1006
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986 sssd.conf.5.xml:998
+#: sssd.conf.5.xml:1010 sssd.conf.5.xml:1022
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:991
+#: sssd.conf.5.xml:1015
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:994
+#: sssd.conf.5.xml:1018
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1003
+#: sssd.conf.5.xml:1027
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1030
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -1398,17 +1429,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014
+#: sssd.conf.5.xml:1038
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1043
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1022
+#: sssd.conf.5.xml:1046
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -1417,17 +1448,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:1056
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1037
+#: sssd.conf.5.xml:1061
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1040
+#: sssd.conf.5.xml:1064
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -1435,17 +1466,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1047
+#: sssd.conf.5.xml:1071
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1076
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1055
+#: sssd.conf.5.xml:1079
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -1453,18 +1484,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1061
+#: sssd.conf.5.xml:1085
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1071 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
-#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:405
+#: sssd.conf.5.xml:1095 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
+#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:408
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:1077
+#: sssd.conf.5.xml:1101
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -1494,7 +1525,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1073
+#: sssd.conf.5.xml:1097
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -1503,7 +1534,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1108
+#: sssd.conf.5.xml:1132
 msgid ""
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
@@ -1603,10 +1634,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:88
 msgid ""
-"Specifies the list of URIs of the LDAP servers to which SSSD should connect "
-"in the order of preference to change the password of a user. Refer to the "
-"<quote>FAILOVER</quote> section for more information on failover and server "
-"redundancy."
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference to change the password of a user. "
+"Refer to the <quote>FAILOVER</quote> section for more information on "
+"failover and server redundancy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -2086,7 +2117,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:519 sssd-ldap.5.xml:990 sssd-ipa.5.xml:115 sssd.8.xml:64
-#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:266
+#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:269
 msgid "Default: false"
 msgstr ""
 
@@ -2527,7 +2558,7 @@ msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:356
+#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:359
 msgid "Default: not set"
 msgstr ""
 
@@ -2668,12 +2699,13 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:1080 sssd-krb5.5.xml:77
 msgid ""
-"Specifies the list of IP addresses or hostnames of the Kerberos servers to "
-"which SSSD should connect in the order of preference. For more information "
-"on failover and server redundancy, see the <quote>FAILOVER</quote> section. "
-"An optional port number (preceded by a colon) may be appended to the "
-"addresses or hostnames.  If empty, service discovery is enabled - for more "
-"information, refer to the <quote>SERVICE DISCOVERY</quote> section."
+"Specifies the comma-separated list of IP addresses or hostnames of the "
+"Kerberos servers to which SSSD should connect in the order of preference. "
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
+"colon) may be appended to the addresses or hostnames.  If empty, service "
+"discovery is enabled - for more information, refer to the <quote>SERVICE "
+"DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -3058,7 +3090,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ldap.5.xml:1407 sssd-simple.5.xml:134 sssd-ipa.5.xml:238
-#: sssd-krb5.5.xml:414
+#: sssd-krb5.5.xml:417
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -3105,7 +3137,8 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
 #: pam_sss.8.xml:24
 msgid ""
-"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>forward_pass</"
+"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
@@ -3113,7 +3146,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:42
+#: pam_sss.8.xml:45
 msgid ""
 "<command>pam_sss.so</command> is the PAM interface to the System Security "
 "Services daemon (SSSD). Errors and results are logged through <command>syslog"
@@ -3121,24 +3154,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:52
+#: pam_sss.8.xml:55
+msgid "<option>quiet</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:58
+msgid "Suppress log messages for unknown users."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:63
 msgid "<option>forward_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:55
+#: pam_sss.8.xml:66
 msgid ""
 "If <option>forward_pass</option> is set the entered password is put on the "
 "stack for other PAM modules to use."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:62
+#: pam_sss.8.xml:73
 msgid "<option>use_first_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:65
+#: pam_sss.8.xml:76
 msgid ""
 "The argument use_first_pass forces the module to use a previous stacked "
 "modules password and will never prompt the user - if no password is "
@@ -3146,31 +3189,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:73
+#: pam_sss.8.xml:84
 msgid "<option>use_authtok</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:76
+#: pam_sss.8.xml:87
 msgid ""
 "When password changing enforce the module to set the new password to the one "
 "provided by a previously stacked password module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:83
+#: pam_sss.8.xml:94
 msgid "<option>retry=N</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:86
+#: pam_sss.8.xml:97
 msgid ""
 "If specified the user is asked another N times for a password if "
 "authentication fails. Default is 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:88
+#: pam_sss.8.xml:99
 msgid ""
 "Please note that this option might not work as expected if the application "
 "calling PAM handles the user dialog on its own. A typical example is "
@@ -3178,24 +3221,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:99
+#: pam_sss.8.xml:110
 msgid "MODULE TYPES PROVIDED"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:100
+#: pam_sss.8.xml:111
 msgid ""
 "All module types (<option>account</option>, <option>auth</option>, "
 "<option>password</option> and <option>session</option>) are provided."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:106
+#: pam_sss.8.xml:117
 msgid "FILES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:107
+#: pam_sss.8.xml:118
 msgid ""
 "If a password reset by root fails, because the corresponding SSSD provider "
 "does not support password resets, an individual message can be displayed. "
@@ -3203,7 +3246,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:112
+#: pam_sss.8.xml:123
 msgid ""
 "The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
 "filename> where LOC stands for a locale string returned by <citerefentry> "
@@ -3215,7 +3258,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:122
+#: pam_sss.8.xml:133
 msgid ""
 "These files are searched in the directory <filename>/etc/sssd/customize/"
 "DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
@@ -3223,7 +3266,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:130
+#: pam_sss.8.xml:141
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>8</"
 "manvolnum> </citerefentry>"
@@ -3483,11 +3526,11 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ipa.5.xml:83
 msgid ""
-"The list of IP addresses or hostnames of the IPA servers to which SSSD "
-"should connect in the order of preference. For more information on failover "
-"and server redundancy, see the <quote>FAILOVER</quote> section.  This is "
-"optional if autodiscovery is enabled.  For more information on service "
-"discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
+"The comma-separated list of IP addresses or hostnames of the IPA servers to "
+"which SSSD should connect in the order of preference. For more information "
+"on failover and server redundancy, see the <quote>FAILOVER</quote> section.  "
+"This is optional if autodiscovery is enabled.  For more information on "
+"service discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
@@ -4303,48 +4346,50 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:262
 msgid ""
-"Please note that this feature currently only available on a Linux platform."
+"Please note that this feature currently only available on a Linux platform. "
+"Passwords stored in this way are kept in plaintext in the kernel keyring and "
+"are potentially accessible by the root user (with difficulty)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:272
+#: sssd-krb5.5.xml:275
 msgid "krb5_renewable_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:275
+#: sssd-krb5.5.xml:278
 msgid ""
 "Request a renewable ticket with a total lifetime given by an integer "
 "immediately followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:280 sssd-krb5.5.xml:316
+#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
 msgid "<emphasis>s</emphasis> seconds"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
+#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
 msgid "<emphasis>m</emphasis> minutes"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
+#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
 msgid "<emphasis>h</emphasis> hours"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
+#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
 msgid "<emphasis>d</emphasis> days."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
+#: sssd-krb5.5.xml:295 sssd-krb5.5.xml:331
 msgid "If there is no delimiter <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:296
+#: sssd-krb5.5.xml:299
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "renewable lifetime to one and a half hours please use '90m' instead of "
@@ -4352,97 +4397,97 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:302
+#: sssd-krb5.5.xml:305
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:308
+#: sssd-krb5.5.xml:311
 msgid "krb5_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:311
+#: sssd-krb5.5.xml:314
 msgid ""
 "Request ticket with a with a lifetime given by an integer immediately "
 "followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:332
+#: sssd-krb5.5.xml:335
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "lifetime to one and a half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:337
+#: sssd-krb5.5.xml:340
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:344
+#: sssd-krb5.5.xml:347
 msgid "krb5_renew_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:347
+#: sssd-krb5.5.xml:350
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:352
+#: sssd-krb5.5.xml:355
 msgid "If this option is not set or 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:362
+#: sssd-krb5.5.xml:365
 msgid "krb5_use_fast (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:365
+#: sssd-krb5.5.xml:368
 msgid ""
 "Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
 "authentication. The following options are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:370
+#: sssd-krb5.5.xml:373
 msgid ""
 "<emphasis>never</emphasis> use FAST, this is equivalent to not set this "
 "option at all."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:374
+#: sssd-krb5.5.xml:377
 msgid ""
 "<emphasis>try</emphasis> to use FAST, if the server does not support fast "
 "continue without."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:378
+#: sssd-krb5.5.xml:381
 msgid ""
 "<emphasis>demand</emphasis> to use FAST, fail if the server does not require "
 "fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:382
+#: sssd-krb5.5.xml:385
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:385
+#: sssd-krb5.5.xml:388
 msgid "Please note that a keytab is required to use fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:388
+#: sssd-krb5.5.xml:391
 msgid ""
 "Please note also that sssd supports fast only with MIT Kerberos version 1.8 "
 "and above. If sssd used used with an older version using this option is a "
@@ -4460,7 +4505,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:407
+#: sssd-krb5.5.xml:410
 msgid ""
 "The following example assumes that SSSD is correctly configured and FOO is "
 "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
@@ -4469,7 +4514,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-krb5.5.xml:415
+#: sssd-krb5.5.xml:418
 #, no-wrap
 msgid ""
 "    [domain/FOO]\n"
@@ -4479,7 +4524,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:426
+#: sssd-krb5.5.xml:429
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
diff --git a/src/man/po/kn.po b/src/man/po/kn.po
index a3396857..82500f1b 100644
--- a/src/man/po/kn.po
+++ b/src/man/po/kn.po
@@ -2,12 +2,13 @@
 # Copyright (C) YEAR Red Hat
 # This file is distributed under the same license as the sssd-docs package.
 #
+# Translators:
 msgid ""
 msgstr ""
 "Project-Id-Version: SSSD\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2011-08-29 10:42-0300\n"
-"PO-Revision-Date: 2011-08-05 11:40+0000\n"
+"POT-Creation-Date: 2011-10-18 13:34-0300\n"
+"PO-Revision-Date: 2010-12-23 15:35+0000\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Kannada (http://www.transifex.net/projects/p/fedora/team/"
 "kn/)\n"
@@ -53,7 +54,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:41
+#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:44
 #: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21
 #: sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_useradd.8.xml:30
 #: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30
@@ -69,7 +70,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:39 pam_sss.8.xml:48 sssd.8.xml:42 sss_obfuscate.8.xml:58
+#: sss_groupmod.8.xml:39 pam_sss.8.xml:51 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
 msgid "OPTIONS"
@@ -105,10 +106,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1106 sssd-ldap.5.xml:1432
-#: pam_sss.8.xml:128 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
+#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1130 sssd-ldap.5.xml:1432
+#: pam_sss.8.xml:139 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
 #: sssd-ipa.5.xml:248 sssd.8.xml:166 sss_obfuscate.8.xml:103
-#: sss_useradd.8.xml:167 sssd-krb5.5.xml:424 sss_groupadd.8.xml:58
+#: sss_useradd.8.xml:167 sssd-krb5.5.xml:427 sss_groupadd.8.xml:58
 #: sss_userdel.8.xml:93 sss_groupdel.8.xml:46 sss_groupshow.8.xml:58
 #: sss_usermod.8.xml:138
 msgid "SEE ALSO"
@@ -214,7 +215,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:70 sssd.conf.5.xml:952
+#: sssd.conf.5.xml:70 sssd.conf.5.xml:976
 msgid "Section parameters"
 msgstr ""
 
@@ -247,19 +248,19 @@ msgid "Supported services: nss, pam"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:93 sssd.conf.5.xml:234
+#: sssd.conf.5.xml:93 sssd.conf.5.xml:254
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:96 sssd.conf.5.xml:237
+#: sssd.conf.5.xml:96 sssd.conf.5.xml:257
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:101 sssd.conf.5.xml:242
+#: sssd.conf.5.xml:101 sssd.conf.5.xml:262
 msgid "Default: 3"
 msgstr ""
 
@@ -366,6 +367,32 @@ msgid ""
 "unavailable. On these platforms, polling will always be used."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:189
+msgid "krb5_rcache_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:192
+msgid ""
+"Directory on the filesystem where SSSD should store Kerberos replay cache "
+"files."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:196
+msgid ""
+"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
+"SSSD to let libkrb5 decide the appropriate location for the replay cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:202
+msgid ""
+"Default: Distribution-specific and specified at build-time. "
+"(__LIBKRB5_DEFAULTS__ if not configured)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:63
 msgid ""
@@ -378,12 +405,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:195
+#: sssd.conf.5.xml:215
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:197
+#: sssd.conf.5.xml:217
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -392,55 +419,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:204
+#: sssd.conf.5.xml:224
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:206
+#: sssd.conf.5.xml:226
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:210
+#: sssd.conf.5.xml:230
 msgid "debug_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:213
+#: sssd.conf.5.xml:233
 msgid ""
 "Sets the debug level for the service. The value can be in range from 0 (only "
 "critical messages) to 10 (very verbose)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:218 sssd.conf.5.xml:312
+#: sssd.conf.5.xml:238 sssd.conf.5.xml:332
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:223 sssd.8.xml:58
+#: sssd.conf.5.xml:243 sssd.8.xml:58
 msgid "debug_timestamps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:226 sssd.8.xml:61
+#: sssd.conf.5.xml:246 sssd.8.xml:61
 msgid "Add a timestamp to the debug messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:229 sssd.conf.5.xml:353 sssd-ldap.5.xml:1058
+#: sssd.conf.5.xml:249 sssd.conf.5.xml:373 sssd-ldap.5.xml:1058
 #: sssd-ldap.5.xml:1163 sssd-ipa.5.xml:155
 msgid "Default: true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:247
+#: sssd.conf.5.xml:267
 msgid "command (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:250
+#: sssd.conf.5.xml:270
 msgid ""
 "By default, the executable representing this service is called <command>sssd_"
 "${service_name}</command>.  This directive allows to change the executable "
@@ -449,45 +476,45 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:258
+#: sssd.conf.5.xml:278
 msgid "Default: <command>sssd_${service_name}</command>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:266
+#: sssd.conf.5.xml:286
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:268
+#: sssd.conf.5.xml:288
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:273
+#: sssd.conf.5.xml:293
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:276
+#: sssd.conf.5.xml:296
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:280
+#: sssd.conf.5.xml:300
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:285
+#: sssd.conf.5.xml:305
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:288
+#: sssd.conf.5.xml:308
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -495,7 +522,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:294
+#: sssd.conf.5.xml:314
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -505,7 +532,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304
+#: sssd.conf.5.xml:324
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -514,12 +541,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:317
+#: sssd.conf.5.xml:337
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:320
+#: sssd.conf.5.xml:340
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -527,17 +554,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:326 sssd-krb5.5.xml:223
+#: sssd.conf.5.xml:346 sssd-krb5.5.xml:223
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:331
+#: sssd.conf.5.xml:351
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:334
+#: sssd.conf.5.xml:354
 msgid ""
 "Exclude certain users from being fetched from the sss NSS database. This is "
 "particularly useful for system accounts. This option can also be set per-"
@@ -546,78 +573,78 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:341
+#: sssd.conf.5.xml:361
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:346
+#: sssd.conf.5.xml:366
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:369
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:358
+#: sssd.conf.5.xml:378
 msgid "override_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:367 sssd-krb5.5.xml:166
+#: sssd.conf.5.xml:387 sssd-krb5.5.xml:166
 msgid "%u"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:368 sssd-krb5.5.xml:167
+#: sssd.conf.5.xml:388 sssd-krb5.5.xml:167
 msgid "login name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:371 sssd-krb5.5.xml:170
+#: sssd.conf.5.xml:391 sssd-krb5.5.xml:170
 msgid "%U"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:392
 msgid "UID number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:375 sssd-krb5.5.xml:188
+#: sssd.conf.5.xml:395 sssd-krb5.5.xml:188
 msgid "%d"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:376
+#: sssd.conf.5.xml:396
 msgid "domain name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:379
+#: sssd.conf.5.xml:399
 msgid "%f"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:380
+#: sssd.conf.5.xml:400
 msgid "fully qualified user name (user@domain)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:383 sssd-krb5.5.xml:200
+#: sssd.conf.5.xml:403 sssd-krb5.5.xml:200
 msgid "%%"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:384 sssd-krb5.5.xml:201
+#: sssd.conf.5.xml:404 sssd-krb5.5.xml:201
 msgid "a literal '%'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:361
+#: sssd.conf.5.xml:381
 msgid ""
 "Override the user's home directory. You can either provide an absolute value "
 "or a template. In the template, the following sequences are substituted: "
@@ -625,138 +652,138 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:390
+#: sssd.conf.5.xml:410
 msgid "This option can also be set per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:395
+#: sssd.conf.5.xml:415
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:398
+#: sssd.conf.5.xml:418
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:401
+#: sssd.conf.5.xml:421
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:405
+#: sssd.conf.5.xml:425
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:410
+#: sssd.conf.5.xml:430
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:415
+#: sssd.conf.5.xml:435
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:418
+#: sssd.conf.5.xml:438
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:422
+#: sssd.conf.5.xml:442
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:427
+#: sssd.conf.5.xml:447
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:430
+#: sssd.conf.5.xml:450
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:435
+#: sssd.conf.5.xml:455
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:438
+#: sssd.conf.5.xml:458
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:442
+#: sssd.conf.5.xml:462
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:469
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:451
+#: sssd.conf.5.xml:471
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:456
+#: sssd.conf.5.xml:476
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:459
+#: sssd.conf.5.xml:479
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:464 sssd.conf.5.xml:477
+#: sssd.conf.5.xml:484 sssd.conf.5.xml:497
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:490
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:473
+#: sssd.conf.5.xml:493
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:483
+#: sssd.conf.5.xml:503
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:506
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:491
+#: sssd.conf.5.xml:511
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -764,59 +791,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:497 sssd.conf.5.xml:550 sssd.conf.5.xml:882
+#: sssd.conf.5.xml:517 sssd.conf.5.xml:570 sssd.conf.5.xml:906
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:523
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:506
+#: sssd.conf.5.xml:526
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:511
+#: sssd.conf.5.xml:531
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:514
+#: sssd.conf.5.xml:534
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:517
+#: sssd.conf.5.xml:537
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:541
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:524
+#: sssd.conf.5.xml:544
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:528
+#: sssd.conf.5.xml:548
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:533
+#: sssd.conf.5.xml:553
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:536
+#: sssd.conf.5.xml:556
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -824,7 +851,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:542
+#: sssd.conf.5.xml:562
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -833,17 +860,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:556
+#: sssd.conf.5.xml:576
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:559
+#: sssd.conf.5.xml:579
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:562
+#: sssd.conf.5.xml:582
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -851,29 +878,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:588
 msgid "Default: 7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:577
+#: sssd.conf.5.xml:597
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:584
+#: sssd.conf.5.xml:604
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:587
+#: sssd.conf.5.xml:607
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:592
+#: sssd.conf.5.xml:612
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -882,56 +909,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:599
+#: sssd.conf.5.xml:619
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:625
 msgid "timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:608
+#: sssd.conf.5.xml:628
 msgid ""
 "Timeout in seconds between heartbeats for this domain.  This is used to "
 "ensure that the backend process is alive and capable of answering requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:633
 msgid "Default: 10"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:639
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:642
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:626
+#: sssd.conf.5.xml:646
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:629
+#: sssd.conf.5.xml:649
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:632 sssd.conf.5.xml:680 sssd.conf.5.xml:734
+#: sssd.conf.5.xml:652 sssd.conf.5.xml:704 sssd.conf.5.xml:758
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:635
+#: sssd.conf.5.xml:655
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -941,14 +968,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:645
+#: sssd.conf.5.xml:665
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:650
+#: sssd.conf.5.xml:670
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -957,39 +984,44 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:661
+#: sssd.conf.5.xml:681
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:664
+#: sssd.conf.5.xml:684
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:688
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:693
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676
+#: sssd.conf.5.xml:696
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:700
+msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:685
+#: sssd.conf.5.xml:709
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:688
+#: sssd.conf.5.xml:712
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -998,47 +1030,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:695
+#: sssd.conf.5.xml:719
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:725
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:728
 msgid "The Data Provider identity backend to use for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:708
+#: sssd.conf.5.xml:732
 msgid "Supported backends:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:711
+#: sssd.conf.5.xml:735
 msgid "proxy: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:714
+#: sssd.conf.5.xml:738
 msgid "local: SSSD internal local provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:717
+#: sssd.conf.5.xml:741
 msgid "ldap: LDAP provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:747
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:750
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -1047,19 +1079,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:739
+#: sssd.conf.5.xml:763
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:766
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:746
+#: sssd.conf.5.xml:770
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1067,7 +1099,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:777
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1075,30 +1107,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:784
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:787
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:766
+#: sssd.conf.5.xml:790
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:796
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:775
+#: sssd.conf.5.xml:799
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -1106,17 +1138,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:781
+#: sssd.conf.5.xml:805
 msgid "<quote>permit</quote> always allow access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:784
+#: sssd.conf.5.xml:808
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:811
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -1125,24 +1157,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:818
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:823
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:826
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:831
 msgid ""
 "<quote>ipa</quote> to change a password stored in an IPA server.  See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -1150,7 +1182,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:815
+#: sssd.conf.5.xml:839
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -1158,7 +1190,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:823
+#: sssd.conf.5.xml:847
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1166,72 +1198,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:831
+#: sssd.conf.5.xml:855
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:835
+#: sssd.conf.5.xml:859
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838
+#: sssd.conf.5.xml:862
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:845
+#: sssd.conf.5.xml:869
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:848
+#: sssd.conf.5.xml:872
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:876
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:855
+#: sssd.conf.5.xml:879
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:858
+#: sssd.conf.5.xml:882
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:861
+#: sssd.conf.5.xml:885
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:864
+#: sssd.conf.5.xml:888
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:867
+#: sssd.conf.5.xml:891
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:873
+#: sssd.conf.5.xml:897
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:876
+#: sssd.conf.5.xml:900
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -1239,34 +1271,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:912
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:891
+#: sssd.conf.5.xml:915
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:919
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:901
+#: sssd.conf.5.xml:925
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:904
+#: sssd.conf.5.xml:928
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:579
+#: sssd.conf.5.xml:599
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -1274,29 +1306,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:940
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:943
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:922
+#: sssd.conf.5.xml:946
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:954
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:933
+#: sssd.conf.5.xml:957
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -1304,19 +1336,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:912
+#: sssd.conf.5.xml:936
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:945
+#: sssd.conf.5.xml:969
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:971
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -1324,73 +1356,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:954
+#: sssd.conf.5.xml:978
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:981
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:985
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:966
+#: sssd.conf.5.xml:990
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:969
+#: sssd.conf.5.xml:993
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974
+#: sssd.conf.5.xml:998
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1003
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1006
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986 sssd.conf.5.xml:998
+#: sssd.conf.5.xml:1010 sssd.conf.5.xml:1022
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:991
+#: sssd.conf.5.xml:1015
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:994
+#: sssd.conf.5.xml:1018
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1003
+#: sssd.conf.5.xml:1027
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1030
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -1398,17 +1430,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014
+#: sssd.conf.5.xml:1038
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1043
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1022
+#: sssd.conf.5.xml:1046
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -1417,17 +1449,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:1056
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1037
+#: sssd.conf.5.xml:1061
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1040
+#: sssd.conf.5.xml:1064
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -1435,17 +1467,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1047
+#: sssd.conf.5.xml:1071
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1076
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1055
+#: sssd.conf.5.xml:1079
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -1453,18 +1485,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1061
+#: sssd.conf.5.xml:1085
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1071 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
-#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:405
+#: sssd.conf.5.xml:1095 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
+#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:408
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:1077
+#: sssd.conf.5.xml:1101
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -1494,7 +1526,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1073
+#: sssd.conf.5.xml:1097
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -1503,7 +1535,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1108
+#: sssd.conf.5.xml:1132
 msgid ""
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
@@ -1603,10 +1635,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:88
 msgid ""
-"Specifies the list of URIs of the LDAP servers to which SSSD should connect "
-"in the order of preference to change the password of a user. Refer to the "
-"<quote>FAILOVER</quote> section for more information on failover and server "
-"redundancy."
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference to change the password of a user. "
+"Refer to the <quote>FAILOVER</quote> section for more information on "
+"failover and server redundancy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -2086,7 +2118,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:519 sssd-ldap.5.xml:990 sssd-ipa.5.xml:115 sssd.8.xml:64
-#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:266
+#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:269
 msgid "Default: false"
 msgstr ""
 
@@ -2527,7 +2559,7 @@ msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:356
+#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:359
 msgid "Default: not set"
 msgstr ""
 
@@ -2668,12 +2700,13 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:1080 sssd-krb5.5.xml:77
 msgid ""
-"Specifies the list of IP addresses or hostnames of the Kerberos servers to "
-"which SSSD should connect in the order of preference. For more information "
-"on failover and server redundancy, see the <quote>FAILOVER</quote> section. "
-"An optional port number (preceded by a colon) may be appended to the "
-"addresses or hostnames.  If empty, service discovery is enabled - for more "
-"information, refer to the <quote>SERVICE DISCOVERY</quote> section."
+"Specifies the comma-separated list of IP addresses or hostnames of the "
+"Kerberos servers to which SSSD should connect in the order of preference. "
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
+"colon) may be appended to the addresses or hostnames.  If empty, service "
+"discovery is enabled - for more information, refer to the <quote>SERVICE "
+"DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -3058,7 +3091,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ldap.5.xml:1407 sssd-simple.5.xml:134 sssd-ipa.5.xml:238
-#: sssd-krb5.5.xml:414
+#: sssd-krb5.5.xml:417
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -3105,7 +3138,8 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
 #: pam_sss.8.xml:24
 msgid ""
-"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>forward_pass</"
+"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
@@ -3113,7 +3147,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:42
+#: pam_sss.8.xml:45
 msgid ""
 "<command>pam_sss.so</command> is the PAM interface to the System Security "
 "Services daemon (SSSD). Errors and results are logged through <command>syslog"
@@ -3121,24 +3155,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:52
+#: pam_sss.8.xml:55
+msgid "<option>quiet</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:58
+msgid "Suppress log messages for unknown users."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:63
 msgid "<option>forward_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:55
+#: pam_sss.8.xml:66
 msgid ""
 "If <option>forward_pass</option> is set the entered password is put on the "
 "stack for other PAM modules to use."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:62
+#: pam_sss.8.xml:73
 msgid "<option>use_first_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:65
+#: pam_sss.8.xml:76
 msgid ""
 "The argument use_first_pass forces the module to use a previous stacked "
 "modules password and will never prompt the user - if no password is "
@@ -3146,31 +3190,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:73
+#: pam_sss.8.xml:84
 msgid "<option>use_authtok</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:76
+#: pam_sss.8.xml:87
 msgid ""
 "When password changing enforce the module to set the new password to the one "
 "provided by a previously stacked password module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:83
+#: pam_sss.8.xml:94
 msgid "<option>retry=N</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:86
+#: pam_sss.8.xml:97
 msgid ""
 "If specified the user is asked another N times for a password if "
 "authentication fails. Default is 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:88
+#: pam_sss.8.xml:99
 msgid ""
 "Please note that this option might not work as expected if the application "
 "calling PAM handles the user dialog on its own. A typical example is "
@@ -3178,24 +3222,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:99
+#: pam_sss.8.xml:110
 msgid "MODULE TYPES PROVIDED"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:100
+#: pam_sss.8.xml:111
 msgid ""
 "All module types (<option>account</option>, <option>auth</option>, "
 "<option>password</option> and <option>session</option>) are provided."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:106
+#: pam_sss.8.xml:117
 msgid "FILES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:107
+#: pam_sss.8.xml:118
 msgid ""
 "If a password reset by root fails, because the corresponding SSSD provider "
 "does not support password resets, an individual message can be displayed. "
@@ -3203,7 +3247,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:112
+#: pam_sss.8.xml:123
 msgid ""
 "The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
 "filename> where LOC stands for a locale string returned by <citerefentry> "
@@ -3215,7 +3259,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:122
+#: pam_sss.8.xml:133
 msgid ""
 "These files are searched in the directory <filename>/etc/sssd/customize/"
 "DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
@@ -3223,7 +3267,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:130
+#: pam_sss.8.xml:141
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>8</"
 "manvolnum> </citerefentry>"
@@ -3483,11 +3527,11 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ipa.5.xml:83
 msgid ""
-"The list of IP addresses or hostnames of the IPA servers to which SSSD "
-"should connect in the order of preference. For more information on failover "
-"and server redundancy, see the <quote>FAILOVER</quote> section.  This is "
-"optional if autodiscovery is enabled.  For more information on service "
-"discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
+"The comma-separated list of IP addresses or hostnames of the IPA servers to "
+"which SSSD should connect in the order of preference. For more information "
+"on failover and server redundancy, see the <quote>FAILOVER</quote> section.  "
+"This is optional if autodiscovery is enabled.  For more information on "
+"service discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
@@ -4303,48 +4347,50 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:262
 msgid ""
-"Please note that this feature currently only available on a Linux platform."
+"Please note that this feature currently only available on a Linux platform. "
+"Passwords stored in this way are kept in plaintext in the kernel keyring and "
+"are potentially accessible by the root user (with difficulty)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:272
+#: sssd-krb5.5.xml:275
 msgid "krb5_renewable_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:275
+#: sssd-krb5.5.xml:278
 msgid ""
 "Request a renewable ticket with a total lifetime given by an integer "
 "immediately followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:280 sssd-krb5.5.xml:316
+#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
 msgid "<emphasis>s</emphasis> seconds"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
+#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
 msgid "<emphasis>m</emphasis> minutes"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
+#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
 msgid "<emphasis>h</emphasis> hours"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
+#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
 msgid "<emphasis>d</emphasis> days."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
+#: sssd-krb5.5.xml:295 sssd-krb5.5.xml:331
 msgid "If there is no delimiter <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:296
+#: sssd-krb5.5.xml:299
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "renewable lifetime to one and a half hours please use '90m' instead of "
@@ -4352,97 +4398,97 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:302
+#: sssd-krb5.5.xml:305
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:308
+#: sssd-krb5.5.xml:311
 msgid "krb5_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:311
+#: sssd-krb5.5.xml:314
 msgid ""
 "Request ticket with a with a lifetime given by an integer immediately "
 "followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:332
+#: sssd-krb5.5.xml:335
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "lifetime to one and a half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:337
+#: sssd-krb5.5.xml:340
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:344
+#: sssd-krb5.5.xml:347
 msgid "krb5_renew_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:347
+#: sssd-krb5.5.xml:350
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:352
+#: sssd-krb5.5.xml:355
 msgid "If this option is not set or 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:362
+#: sssd-krb5.5.xml:365
 msgid "krb5_use_fast (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:365
+#: sssd-krb5.5.xml:368
 msgid ""
 "Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
 "authentication. The following options are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:370
+#: sssd-krb5.5.xml:373
 msgid ""
 "<emphasis>never</emphasis> use FAST, this is equivalent to not set this "
 "option at all."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:374
+#: sssd-krb5.5.xml:377
 msgid ""
 "<emphasis>try</emphasis> to use FAST, if the server does not support fast "
 "continue without."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:378
+#: sssd-krb5.5.xml:381
 msgid ""
 "<emphasis>demand</emphasis> to use FAST, fail if the server does not require "
 "fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:382
+#: sssd-krb5.5.xml:385
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:385
+#: sssd-krb5.5.xml:388
 msgid "Please note that a keytab is required to use fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:388
+#: sssd-krb5.5.xml:391
 msgid ""
 "Please note also that sssd supports fast only with MIT Kerberos version 1.8 "
 "and above. If sssd used used with an older version using this option is a "
@@ -4460,7 +4506,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:407
+#: sssd-krb5.5.xml:410
 msgid ""
 "The following example assumes that SSSD is correctly configured and FOO is "
 "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
@@ -4469,7 +4515,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-krb5.5.xml:415
+#: sssd-krb5.5.xml:418
 #, no-wrap
 msgid ""
 "    [domain/FOO]\n"
@@ -4479,7 +4525,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:426
+#: sssd-krb5.5.xml:429
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
diff --git a/src/man/po/ko.po b/src/man/po/ko.po
index e261327a..6625db04 100644
--- a/src/man/po/ko.po
+++ b/src/man/po/ko.po
@@ -6,7 +6,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: SSSD\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2011-08-29 10:42-0300\n"
+"POT-Creation-Date: 2011-10-18 13:34-0300\n"
 "PO-Revision-Date: 2011-08-05 11:40+0000\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Korean (http://www.transifex.net/projects/p/fedora/team/ko/)\n"
@@ -52,7 +52,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:41
+#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:44
 #: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21
 #: sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_useradd.8.xml:30
 #: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30
@@ -68,7 +68,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:39 pam_sss.8.xml:48 sssd.8.xml:42 sss_obfuscate.8.xml:58
+#: sss_groupmod.8.xml:39 pam_sss.8.xml:51 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
 msgid "OPTIONS"
@@ -104,10 +104,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1106 sssd-ldap.5.xml:1432
-#: pam_sss.8.xml:128 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
+#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1130 sssd-ldap.5.xml:1432
+#: pam_sss.8.xml:139 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
 #: sssd-ipa.5.xml:248 sssd.8.xml:166 sss_obfuscate.8.xml:103
-#: sss_useradd.8.xml:167 sssd-krb5.5.xml:424 sss_groupadd.8.xml:58
+#: sss_useradd.8.xml:167 sssd-krb5.5.xml:427 sss_groupadd.8.xml:58
 #: sss_userdel.8.xml:93 sss_groupdel.8.xml:46 sss_groupshow.8.xml:58
 #: sss_usermod.8.xml:138
 msgid "SEE ALSO"
@@ -213,7 +213,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:70 sssd.conf.5.xml:952
+#: sssd.conf.5.xml:70 sssd.conf.5.xml:976
 msgid "Section parameters"
 msgstr ""
 
@@ -246,19 +246,19 @@ msgid "Supported services: nss, pam"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:93 sssd.conf.5.xml:234
+#: sssd.conf.5.xml:93 sssd.conf.5.xml:254
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:96 sssd.conf.5.xml:237
+#: sssd.conf.5.xml:96 sssd.conf.5.xml:257
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:101 sssd.conf.5.xml:242
+#: sssd.conf.5.xml:101 sssd.conf.5.xml:262
 msgid "Default: 3"
 msgstr ""
 
@@ -365,6 +365,32 @@ msgid ""
 "unavailable. On these platforms, polling will always be used."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:189
+msgid "krb5_rcache_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:192
+msgid ""
+"Directory on the filesystem where SSSD should store Kerberos replay cache "
+"files."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:196
+msgid ""
+"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
+"SSSD to let libkrb5 decide the appropriate location for the replay cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:202
+msgid ""
+"Default: Distribution-specific and specified at build-time. "
+"(__LIBKRB5_DEFAULTS__ if not configured)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:63
 msgid ""
@@ -377,12 +403,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:195
+#: sssd.conf.5.xml:215
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:197
+#: sssd.conf.5.xml:217
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -391,55 +417,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:204
+#: sssd.conf.5.xml:224
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:206
+#: sssd.conf.5.xml:226
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:210
+#: sssd.conf.5.xml:230
 msgid "debug_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:213
+#: sssd.conf.5.xml:233
 msgid ""
 "Sets the debug level for the service. The value can be in range from 0 (only "
 "critical messages) to 10 (very verbose)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:218 sssd.conf.5.xml:312
+#: sssd.conf.5.xml:238 sssd.conf.5.xml:332
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:223 sssd.8.xml:58
+#: sssd.conf.5.xml:243 sssd.8.xml:58
 msgid "debug_timestamps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:226 sssd.8.xml:61
+#: sssd.conf.5.xml:246 sssd.8.xml:61
 msgid "Add a timestamp to the debug messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:229 sssd.conf.5.xml:353 sssd-ldap.5.xml:1058
+#: sssd.conf.5.xml:249 sssd.conf.5.xml:373 sssd-ldap.5.xml:1058
 #: sssd-ldap.5.xml:1163 sssd-ipa.5.xml:155
 msgid "Default: true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:247
+#: sssd.conf.5.xml:267
 msgid "command (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:250
+#: sssd.conf.5.xml:270
 msgid ""
 "By default, the executable representing this service is called <command>sssd_"
 "${service_name}</command>.  This directive allows to change the executable "
@@ -448,45 +474,45 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:258
+#: sssd.conf.5.xml:278
 msgid "Default: <command>sssd_${service_name}</command>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:266
+#: sssd.conf.5.xml:286
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:268
+#: sssd.conf.5.xml:288
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:273
+#: sssd.conf.5.xml:293
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:276
+#: sssd.conf.5.xml:296
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:280
+#: sssd.conf.5.xml:300
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:285
+#: sssd.conf.5.xml:305
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:288
+#: sssd.conf.5.xml:308
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -494,7 +520,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:294
+#: sssd.conf.5.xml:314
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -504,7 +530,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304
+#: sssd.conf.5.xml:324
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -513,12 +539,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:317
+#: sssd.conf.5.xml:337
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:320
+#: sssd.conf.5.xml:340
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -526,17 +552,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:326 sssd-krb5.5.xml:223
+#: sssd.conf.5.xml:346 sssd-krb5.5.xml:223
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:331
+#: sssd.conf.5.xml:351
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:334
+#: sssd.conf.5.xml:354
 msgid ""
 "Exclude certain users from being fetched from the sss NSS database. This is "
 "particularly useful for system accounts. This option can also be set per-"
@@ -545,78 +571,78 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:341
+#: sssd.conf.5.xml:361
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:346
+#: sssd.conf.5.xml:366
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:369
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:358
+#: sssd.conf.5.xml:378
 msgid "override_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:367 sssd-krb5.5.xml:166
+#: sssd.conf.5.xml:387 sssd-krb5.5.xml:166
 msgid "%u"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:368 sssd-krb5.5.xml:167
+#: sssd.conf.5.xml:388 sssd-krb5.5.xml:167
 msgid "login name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:371 sssd-krb5.5.xml:170
+#: sssd.conf.5.xml:391 sssd-krb5.5.xml:170
 msgid "%U"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:392
 msgid "UID number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:375 sssd-krb5.5.xml:188
+#: sssd.conf.5.xml:395 sssd-krb5.5.xml:188
 msgid "%d"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:376
+#: sssd.conf.5.xml:396
 msgid "domain name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:379
+#: sssd.conf.5.xml:399
 msgid "%f"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:380
+#: sssd.conf.5.xml:400
 msgid "fully qualified user name (user@domain)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:383 sssd-krb5.5.xml:200
+#: sssd.conf.5.xml:403 sssd-krb5.5.xml:200
 msgid "%%"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:384 sssd-krb5.5.xml:201
+#: sssd.conf.5.xml:404 sssd-krb5.5.xml:201
 msgid "a literal '%'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:361
+#: sssd.conf.5.xml:381
 msgid ""
 "Override the user's home directory. You can either provide an absolute value "
 "or a template. In the template, the following sequences are substituted: "
@@ -624,138 +650,138 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:390
+#: sssd.conf.5.xml:410
 msgid "This option can also be set per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:395
+#: sssd.conf.5.xml:415
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:398
+#: sssd.conf.5.xml:418
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:401
+#: sssd.conf.5.xml:421
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:405
+#: sssd.conf.5.xml:425
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:410
+#: sssd.conf.5.xml:430
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:415
+#: sssd.conf.5.xml:435
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:418
+#: sssd.conf.5.xml:438
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:422
+#: sssd.conf.5.xml:442
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:427
+#: sssd.conf.5.xml:447
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:430
+#: sssd.conf.5.xml:450
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:435
+#: sssd.conf.5.xml:455
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:438
+#: sssd.conf.5.xml:458
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:442
+#: sssd.conf.5.xml:462
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:469
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:451
+#: sssd.conf.5.xml:471
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:456
+#: sssd.conf.5.xml:476
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:459
+#: sssd.conf.5.xml:479
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:464 sssd.conf.5.xml:477
+#: sssd.conf.5.xml:484 sssd.conf.5.xml:497
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:490
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:473
+#: sssd.conf.5.xml:493
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:483
+#: sssd.conf.5.xml:503
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:506
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:491
+#: sssd.conf.5.xml:511
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -763,59 +789,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:497 sssd.conf.5.xml:550 sssd.conf.5.xml:882
+#: sssd.conf.5.xml:517 sssd.conf.5.xml:570 sssd.conf.5.xml:906
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:523
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:506
+#: sssd.conf.5.xml:526
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:511
+#: sssd.conf.5.xml:531
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:514
+#: sssd.conf.5.xml:534
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:517
+#: sssd.conf.5.xml:537
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:541
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:524
+#: sssd.conf.5.xml:544
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:528
+#: sssd.conf.5.xml:548
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:533
+#: sssd.conf.5.xml:553
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:536
+#: sssd.conf.5.xml:556
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -823,7 +849,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:542
+#: sssd.conf.5.xml:562
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -832,17 +858,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:556
+#: sssd.conf.5.xml:576
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:559
+#: sssd.conf.5.xml:579
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:562
+#: sssd.conf.5.xml:582
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -850,29 +876,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:588
 msgid "Default: 7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:577
+#: sssd.conf.5.xml:597
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:584
+#: sssd.conf.5.xml:604
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:587
+#: sssd.conf.5.xml:607
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:592
+#: sssd.conf.5.xml:612
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -881,56 +907,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:599
+#: sssd.conf.5.xml:619
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:625
 msgid "timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:608
+#: sssd.conf.5.xml:628
 msgid ""
 "Timeout in seconds between heartbeats for this domain.  This is used to "
 "ensure that the backend process is alive and capable of answering requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:633
 msgid "Default: 10"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:639
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:642
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:626
+#: sssd.conf.5.xml:646
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:629
+#: sssd.conf.5.xml:649
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:632 sssd.conf.5.xml:680 sssd.conf.5.xml:734
+#: sssd.conf.5.xml:652 sssd.conf.5.xml:704 sssd.conf.5.xml:758
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:635
+#: sssd.conf.5.xml:655
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -940,14 +966,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:645
+#: sssd.conf.5.xml:665
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:650
+#: sssd.conf.5.xml:670
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -956,39 +982,44 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:661
+#: sssd.conf.5.xml:681
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:664
+#: sssd.conf.5.xml:684
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:688
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:693
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676
+#: sssd.conf.5.xml:696
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:700
+msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:685
+#: sssd.conf.5.xml:709
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:688
+#: sssd.conf.5.xml:712
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -997,47 +1028,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:695
+#: sssd.conf.5.xml:719
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:725
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:728
 msgid "The Data Provider identity backend to use for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:708
+#: sssd.conf.5.xml:732
 msgid "Supported backends:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:711
+#: sssd.conf.5.xml:735
 msgid "proxy: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:714
+#: sssd.conf.5.xml:738
 msgid "local: SSSD internal local provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:717
+#: sssd.conf.5.xml:741
 msgid "ldap: LDAP provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:747
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:750
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -1046,19 +1077,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:739
+#: sssd.conf.5.xml:763
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:766
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:746
+#: sssd.conf.5.xml:770
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1066,7 +1097,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:777
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1074,30 +1105,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:784
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:787
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:766
+#: sssd.conf.5.xml:790
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:796
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:775
+#: sssd.conf.5.xml:799
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -1105,17 +1136,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:781
+#: sssd.conf.5.xml:805
 msgid "<quote>permit</quote> always allow access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:784
+#: sssd.conf.5.xml:808
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:811
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -1124,24 +1155,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:818
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:823
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:826
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:831
 msgid ""
 "<quote>ipa</quote> to change a password stored in an IPA server.  See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -1149,7 +1180,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:815
+#: sssd.conf.5.xml:839
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -1157,7 +1188,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:823
+#: sssd.conf.5.xml:847
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1165,72 +1196,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:831
+#: sssd.conf.5.xml:855
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:835
+#: sssd.conf.5.xml:859
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838
+#: sssd.conf.5.xml:862
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:845
+#: sssd.conf.5.xml:869
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:848
+#: sssd.conf.5.xml:872
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:876
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:855
+#: sssd.conf.5.xml:879
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:858
+#: sssd.conf.5.xml:882
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:861
+#: sssd.conf.5.xml:885
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:864
+#: sssd.conf.5.xml:888
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:867
+#: sssd.conf.5.xml:891
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:873
+#: sssd.conf.5.xml:897
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:876
+#: sssd.conf.5.xml:900
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -1238,34 +1269,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:912
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:891
+#: sssd.conf.5.xml:915
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:919
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:901
+#: sssd.conf.5.xml:925
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:904
+#: sssd.conf.5.xml:928
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:579
+#: sssd.conf.5.xml:599
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -1273,29 +1304,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:940
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:943
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:922
+#: sssd.conf.5.xml:946
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:954
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:933
+#: sssd.conf.5.xml:957
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -1303,19 +1334,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:912
+#: sssd.conf.5.xml:936
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:945
+#: sssd.conf.5.xml:969
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:971
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -1323,73 +1354,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:954
+#: sssd.conf.5.xml:978
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:981
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:985
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:966
+#: sssd.conf.5.xml:990
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:969
+#: sssd.conf.5.xml:993
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974
+#: sssd.conf.5.xml:998
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1003
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1006
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986 sssd.conf.5.xml:998
+#: sssd.conf.5.xml:1010 sssd.conf.5.xml:1022
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:991
+#: sssd.conf.5.xml:1015
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:994
+#: sssd.conf.5.xml:1018
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1003
+#: sssd.conf.5.xml:1027
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1030
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -1397,17 +1428,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014
+#: sssd.conf.5.xml:1038
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1043
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1022
+#: sssd.conf.5.xml:1046
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -1416,17 +1447,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:1056
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1037
+#: sssd.conf.5.xml:1061
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1040
+#: sssd.conf.5.xml:1064
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -1434,17 +1465,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1047
+#: sssd.conf.5.xml:1071
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1076
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1055
+#: sssd.conf.5.xml:1079
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -1452,18 +1483,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1061
+#: sssd.conf.5.xml:1085
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1071 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
-#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:405
+#: sssd.conf.5.xml:1095 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
+#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:408
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:1077
+#: sssd.conf.5.xml:1101
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -1493,7 +1524,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1073
+#: sssd.conf.5.xml:1097
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -1502,7 +1533,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1108
+#: sssd.conf.5.xml:1132
 msgid ""
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
@@ -1602,10 +1633,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:88
 msgid ""
-"Specifies the list of URIs of the LDAP servers to which SSSD should connect "
-"in the order of preference to change the password of a user. Refer to the "
-"<quote>FAILOVER</quote> section for more information on failover and server "
-"redundancy."
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference to change the password of a user. "
+"Refer to the <quote>FAILOVER</quote> section for more information on "
+"failover and server redundancy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -2085,7 +2116,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:519 sssd-ldap.5.xml:990 sssd-ipa.5.xml:115 sssd.8.xml:64
-#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:266
+#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:269
 msgid "Default: false"
 msgstr ""
 
@@ -2526,7 +2557,7 @@ msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:356
+#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:359
 msgid "Default: not set"
 msgstr ""
 
@@ -2667,12 +2698,13 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:1080 sssd-krb5.5.xml:77
 msgid ""
-"Specifies the list of IP addresses or hostnames of the Kerberos servers to "
-"which SSSD should connect in the order of preference. For more information "
-"on failover and server redundancy, see the <quote>FAILOVER</quote> section. "
-"An optional port number (preceded by a colon) may be appended to the "
-"addresses or hostnames.  If empty, service discovery is enabled - for more "
-"information, refer to the <quote>SERVICE DISCOVERY</quote> section."
+"Specifies the comma-separated list of IP addresses or hostnames of the "
+"Kerberos servers to which SSSD should connect in the order of preference. "
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
+"colon) may be appended to the addresses or hostnames.  If empty, service "
+"discovery is enabled - for more information, refer to the <quote>SERVICE "
+"DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -3057,7 +3089,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ldap.5.xml:1407 sssd-simple.5.xml:134 sssd-ipa.5.xml:238
-#: sssd-krb5.5.xml:414
+#: sssd-krb5.5.xml:417
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -3104,7 +3136,8 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
 #: pam_sss.8.xml:24
 msgid ""
-"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>forward_pass</"
+"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
@@ -3112,7 +3145,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:42
+#: pam_sss.8.xml:45
 msgid ""
 "<command>pam_sss.so</command> is the PAM interface to the System Security "
 "Services daemon (SSSD). Errors and results are logged through <command>syslog"
@@ -3120,24 +3153,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:52
+#: pam_sss.8.xml:55
+msgid "<option>quiet</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:58
+msgid "Suppress log messages for unknown users."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:63
 msgid "<option>forward_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:55
+#: pam_sss.8.xml:66
 msgid ""
 "If <option>forward_pass</option> is set the entered password is put on the "
 "stack for other PAM modules to use."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:62
+#: pam_sss.8.xml:73
 msgid "<option>use_first_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:65
+#: pam_sss.8.xml:76
 msgid ""
 "The argument use_first_pass forces the module to use a previous stacked "
 "modules password and will never prompt the user - if no password is "
@@ -3145,31 +3188,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:73
+#: pam_sss.8.xml:84
 msgid "<option>use_authtok</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:76
+#: pam_sss.8.xml:87
 msgid ""
 "When password changing enforce the module to set the new password to the one "
 "provided by a previously stacked password module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:83
+#: pam_sss.8.xml:94
 msgid "<option>retry=N</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:86
+#: pam_sss.8.xml:97
 msgid ""
 "If specified the user is asked another N times for a password if "
 "authentication fails. Default is 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:88
+#: pam_sss.8.xml:99
 msgid ""
 "Please note that this option might not work as expected if the application "
 "calling PAM handles the user dialog on its own. A typical example is "
@@ -3177,24 +3220,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:99
+#: pam_sss.8.xml:110
 msgid "MODULE TYPES PROVIDED"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:100
+#: pam_sss.8.xml:111
 msgid ""
 "All module types (<option>account</option>, <option>auth</option>, "
 "<option>password</option> and <option>session</option>) are provided."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:106
+#: pam_sss.8.xml:117
 msgid "FILES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:107
+#: pam_sss.8.xml:118
 msgid ""
 "If a password reset by root fails, because the corresponding SSSD provider "
 "does not support password resets, an individual message can be displayed. "
@@ -3202,7 +3245,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:112
+#: pam_sss.8.xml:123
 msgid ""
 "The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
 "filename> where LOC stands for a locale string returned by <citerefentry> "
@@ -3214,7 +3257,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:122
+#: pam_sss.8.xml:133
 msgid ""
 "These files are searched in the directory <filename>/etc/sssd/customize/"
 "DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
@@ -3222,7 +3265,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:130
+#: pam_sss.8.xml:141
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>8</"
 "manvolnum> </citerefentry>"
@@ -3482,11 +3525,11 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ipa.5.xml:83
 msgid ""
-"The list of IP addresses or hostnames of the IPA servers to which SSSD "
-"should connect in the order of preference. For more information on failover "
-"and server redundancy, see the <quote>FAILOVER</quote> section.  This is "
-"optional if autodiscovery is enabled.  For more information on service "
-"discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
+"The comma-separated list of IP addresses or hostnames of the IPA servers to "
+"which SSSD should connect in the order of preference. For more information "
+"on failover and server redundancy, see the <quote>FAILOVER</quote> section.  "
+"This is optional if autodiscovery is enabled.  For more information on "
+"service discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
@@ -4302,48 +4345,50 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:262
 msgid ""
-"Please note that this feature currently only available on a Linux platform."
+"Please note that this feature currently only available on a Linux platform. "
+"Passwords stored in this way are kept in plaintext in the kernel keyring and "
+"are potentially accessible by the root user (with difficulty)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:272
+#: sssd-krb5.5.xml:275
 msgid "krb5_renewable_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:275
+#: sssd-krb5.5.xml:278
 msgid ""
 "Request a renewable ticket with a total lifetime given by an integer "
 "immediately followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:280 sssd-krb5.5.xml:316
+#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
 msgid "<emphasis>s</emphasis> seconds"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
+#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
 msgid "<emphasis>m</emphasis> minutes"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
+#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
 msgid "<emphasis>h</emphasis> hours"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
+#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
 msgid "<emphasis>d</emphasis> days."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
+#: sssd-krb5.5.xml:295 sssd-krb5.5.xml:331
 msgid "If there is no delimiter <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:296
+#: sssd-krb5.5.xml:299
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "renewable lifetime to one and a half hours please use '90m' instead of "
@@ -4351,97 +4396,97 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:302
+#: sssd-krb5.5.xml:305
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:308
+#: sssd-krb5.5.xml:311
 msgid "krb5_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:311
+#: sssd-krb5.5.xml:314
 msgid ""
 "Request ticket with a with a lifetime given by an integer immediately "
 "followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:332
+#: sssd-krb5.5.xml:335
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "lifetime to one and a half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:337
+#: sssd-krb5.5.xml:340
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:344
+#: sssd-krb5.5.xml:347
 msgid "krb5_renew_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:347
+#: sssd-krb5.5.xml:350
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:352
+#: sssd-krb5.5.xml:355
 msgid "If this option is not set or 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:362
+#: sssd-krb5.5.xml:365
 msgid "krb5_use_fast (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:365
+#: sssd-krb5.5.xml:368
 msgid ""
 "Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
 "authentication. The following options are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:370
+#: sssd-krb5.5.xml:373
 msgid ""
 "<emphasis>never</emphasis> use FAST, this is equivalent to not set this "
 "option at all."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:374
+#: sssd-krb5.5.xml:377
 msgid ""
 "<emphasis>try</emphasis> to use FAST, if the server does not support fast "
 "continue without."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:378
+#: sssd-krb5.5.xml:381
 msgid ""
 "<emphasis>demand</emphasis> to use FAST, fail if the server does not require "
 "fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:382
+#: sssd-krb5.5.xml:385
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:385
+#: sssd-krb5.5.xml:388
 msgid "Please note that a keytab is required to use fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:388
+#: sssd-krb5.5.xml:391
 msgid ""
 "Please note also that sssd supports fast only with MIT Kerberos version 1.8 "
 "and above. If sssd used used with an older version using this option is a "
@@ -4459,7 +4504,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:407
+#: sssd-krb5.5.xml:410
 msgid ""
 "The following example assumes that SSSD is correctly configured and FOO is "
 "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
@@ -4468,7 +4513,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-krb5.5.xml:415
+#: sssd-krb5.5.xml:418
 #, no-wrap
 msgid ""
 "    [domain/FOO]\n"
@@ -4478,7 +4523,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:426
+#: sssd-krb5.5.xml:429
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
diff --git a/src/man/po/lt.po b/src/man/po/lt.po
new file mode 100644
index 00000000..c798eb56
--- /dev/null
+++ b/src/man/po/lt.po
@@ -0,0 +1,4993 @@
+# SOME DESCRIPTIVE TITLE
+# Copyright (C) YEAR Red Hat
+# This file is distributed under the same license as the sssd-docs package.
+#
+# Translators:
+msgid ""
+msgstr ""
+"Project-Id-Version: SSSD\n"
+"Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
+"POT-Creation-Date: 2011-10-18 13:34-0300\n"
+"PO-Revision-Date: 2010-12-23 15:35+0000\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: Lithuanian (http://www.transifex.net/projects/p/fedora/team/"
+"lt/)\n"
+"Language: lt\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && (n"
+"%100<10 || n%100>=20) ? 1 : 2)\n"
+
+#. type: Content of: <reference><title>
+#: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5
+#: sssd_krb5_locator_plugin.8.xml:5 sssd-simple.5.xml:5 sssd-ipa.5.xml:5
+#: sssd.8.xml:5 sss_obfuscate.8.xml:5 sss_useradd.8.xml:5 sssd-krb5.5.xml:5
+#: sss_groupadd.8.xml:5 sss_userdel.8.xml:5 sss_groupdel.8.xml:5
+#: sss_groupshow.8.xml:5 sss_usermod.8.xml:5
+msgid "SSSD Manual pages"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sss_groupmod.8.xml:10 sss_groupmod.8.xml:15
+msgid "sss_groupmod"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refmeta><manvolnum>
+#: sss_groupmod.8.xml:11 pam_sss.8.xml:14 sssd_krb5_locator_plugin.8.xml:11
+#: sssd.8.xml:11 sss_obfuscate.8.xml:11 sss_useradd.8.xml:11
+#: sss_groupadd.8.xml:11 sss_userdel.8.xml:11 sss_groupdel.8.xml:11
+#: sss_groupshow.8.xml:11 sss_usermod.8.xml:11
+msgid "8"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sss_groupmod.8.xml:16
+msgid "modify a group"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: sss_groupmod.8.xml:21
+msgid ""
+"<command>sss_groupmod</command> <arg choice='opt'> <replaceable>options</"
+"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></"
+"arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:44
+#: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21
+#: sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_useradd.8.xml:30
+#: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30
+#: sss_groupdel.8.xml:30 sss_groupshow.8.xml:30 sss_usermod.8.xml:30
+msgid "DESCRIPTION"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_groupmod.8.xml:32
+msgid ""
+"<command>sss_groupmod</command> modifies the group to reflect the changes "
+"that are specified on the command line."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sss_groupmod.8.xml:39 pam_sss.8.xml:51 sssd.8.xml:42 sss_obfuscate.8.xml:58
+#: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
+#: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
+msgid "OPTIONS"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_groupmod.8.xml:43 sss_usermod.8.xml:77
+msgid ""
+"<option>-a</option>,<option>--append-group</option> <replaceable>GROUPS</"
+"replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_groupmod.8.xml:48
+msgid ""
+"Append this group to groups specified by the <replaceable>GROUPS</"
+"replaceable> parameter.  The <replaceable>GROUPS</replaceable> parameter is "
+"a comma separated list of group names."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_groupmod.8.xml:57 sss_usermod.8.xml:91
+msgid ""
+"<option>-r</option>,<option>--remove-group</option> <replaceable>GROUPS</"
+"replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_groupmod.8.xml:62
+msgid ""
+"Remove this group from groups specified by the <replaceable>GROUPS</"
+"replaceable> parameter."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1130 sssd-ldap.5.xml:1432
+#: pam_sss.8.xml:139 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
+#: sssd-ipa.5.xml:248 sssd.8.xml:166 sss_obfuscate.8.xml:103
+#: sss_useradd.8.xml:167 sssd-krb5.5.xml:427 sss_groupadd.8.xml:58
+#: sss_userdel.8.xml:93 sss_groupdel.8.xml:46 sss_groupshow.8.xml:58
+#: sss_usermod.8.xml:138
+msgid "SEE ALSO"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_groupmod.8.xml:74
+msgid ""
+"<citerefentry> <refentrytitle>sss_groupdel</refentrytitle><manvolnum>8</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupadd</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_useradd</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_usermod</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd.conf.5.xml:10 sssd.conf.5.xml:16
+msgid "sssd.conf"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refmeta><manvolnum>
+#: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11
+#: sssd-ipa.5.xml:11 sssd-krb5.5.xml:11
+msgid "5"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refmeta><refmiscinfo>
+#: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12
+#: sssd-ipa.5.xml:12 sssd-krb5.5.xml:12
+msgid "File Formats and Conventions"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sssd.conf.5.xml:17 sssd-ldap.5.xml:17 sssd_krb5_locator_plugin.8.xml:16
+#: sssd-ipa.5.xml:17 sssd-krb5.5.xml:17
+msgid "the configuration file for SSSD"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd.conf.5.xml:21
+msgid "FILE FORMAT"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd.conf.5.xml:29
+#, no-wrap
+msgid ""
+"                <replaceable>[section]</replaceable>\n"
+"                <replaceable>key</replaceable> = <replaceable>value</replaceable>\n"
+"                <replaceable>key2</replaceable> = <replaceable>value2,value3</replaceable>\n"
+"            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:24
+msgid ""
+"The file has an ini-style syntax and consists of sections and parameters. A "
+"section begins with the name of the section in square brackets and continues "
+"until the next section begins. An example of section with single and multi-"
+"valued parameters: <placeholder type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:36
+msgid ""
+"The data types used are string (no quotes needed), integer and bool (with "
+"values of <quote>TRUE/FALSE</quote>)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:41
+msgid ""
+"A line comment starts with a hash sign (<quote>#</quote>) or a semicolon "
+"(<quote>;</quote>)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:46
+msgid ""
+"All sections can have an optional <replaceable>description</replaceable> "
+"parameter. Its function is only as a label for the section."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:52
+msgid ""
+"<filename>sssd.conf</filename> must be a regular file, owned by root and "
+"only root may read from or write to the file."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd.conf.5.xml:58
+msgid "SPECIAL SECTIONS"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><title>
+#: sssd.conf.5.xml:61
+msgid "The [sssd] section"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
+#: sssd.conf.5.xml:70 sssd.conf.5.xml:976
+msgid "Section parameters"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:72
+msgid "config_file_version (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:75
+msgid ""
+"Indicates what is the syntax of the config file. SSSD 0.6.0 and later use "
+"version 2."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:81
+msgid "services"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:84
+msgid ""
+"Comma separated list of services that are started when sssd itself starts."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:88
+msgid "Supported services: nss, pam"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:93 sssd.conf.5.xml:254
+msgid "reconnection_retries (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:96 sssd.conf.5.xml:257
+msgid ""
+"Number of times services should attempt to reconnect in the event of a Data "
+"Provider crash or restart before they give up"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:101 sssd.conf.5.xml:262
+msgid "Default: 3"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:106
+msgid "domains"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:109
+msgid ""
+"A domain is a database containing user information. SSSD can use more "
+"domains at the same time, but at least one must be configured or SSSD won't "
+"start.  This parameter described the list of domains in the order you want "
+"them to be queried."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:119
+msgid "re_expression (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:122
+msgid ""
+"Regular expression that describes how to parse the string containing user "
+"name and domain into these components."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:126
+msgid ""
+"Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
+"which translates to \"the name is everything up to the <quote>@</quote> "
+"sign, the domain everything after that\""
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:131
+msgid ""
+"PLEASE NOTE: the support for non-unique named subpatterns is not available "
+"on all platforms (e.g. RHEL5 and SLES10). Only platforms with libpcre "
+"version 7 or higher can support non-unique named subpatterns."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:138
+msgid ""
+"PLEASE NOTE ALSO: older version of libpcre only support the Python syntax (?"
+"P&lt;name&gt;) to label subpatterns."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:145
+msgid "full_name_format (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:148
+msgid ""
+"A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
+"manvolnum> </citerefentry>-compatible format that describes how to translate "
+"a (name, domain) tuple into a fully qualified name."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:156
+msgid "Default: <quote>%1$s@%2$s</quote>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:161
+msgid "try_inotify (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:164
+msgid ""
+"SSSD monitors the state of resolv.conf to identify when it needs to update "
+"its internal DNS resolver. By default, we will attempt to use inotify for "
+"this, and will fall back to polling resolv.conf every five seconds if "
+"inotify cannot be used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:172
+msgid ""
+"There are some limited situations where it is preferred that we should skip "
+"even trying to use inotify. In these rare cases, this option should be set "
+"to 'false'"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:178
+msgid ""
+"Default: true on platforms where inotify is supported. False on other "
+"platforms."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:182
+msgid ""
+"Note: this option will have no effect on platforms where inotify is "
+"unavailable. On these platforms, polling will always be used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:189
+msgid "krb5_rcache_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:192
+msgid ""
+"Directory on the filesystem where SSSD should store Kerberos replay cache "
+"files."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:196
+msgid ""
+"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
+"SSSD to let libkrb5 decide the appropriate location for the replay cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:202
+msgid ""
+"Default: Distribution-specific and specified at build-time. "
+"(__LIBKRB5_DEFAULTS__ if not configured)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sssd.conf.5.xml:63
+msgid ""
+"Individual pieces of SSSD functionality are provided by special SSSD "
+"services that are started and stopped together with SSSD.  The services are "
+"managed by a special service frequently called <quote>monitor</quote>. The "
+"<quote>[sssd]</quote> section is used to configure the monitor as well as "
+"some other important options like the identity domains.  <placeholder type="
+"\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd.conf.5.xml:215
+msgid "SERVICES SECTIONS"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:217
+msgid ""
+"Settings that can be used to configure different services are described in "
+"this section. They should reside in the [<replaceable>$NAME</replaceable>] "
+"section, for example, for NSS service, the section would be <quote>[nss]</"
+"quote>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><title>
+#: sssd.conf.5.xml:224
+msgid "General service configuration options"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sssd.conf.5.xml:226
+msgid "These options can be used to configure any service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:230
+msgid "debug_level (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:233
+msgid ""
+"Sets the debug level for the service. The value can be in range from 0 (only "
+"critical messages) to 10 (very verbose)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:238 sssd.conf.5.xml:332
+msgid "Default: 0"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:243 sssd.8.xml:58
+msgid "debug_timestamps (bool)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:246 sssd.8.xml:61
+msgid "Add a timestamp to the debug messages"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:249 sssd.conf.5.xml:373 sssd-ldap.5.xml:1058
+#: sssd-ldap.5.xml:1163 sssd-ipa.5.xml:155
+msgid "Default: true"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:267
+msgid "command (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:270
+msgid ""
+"By default, the executable representing this service is called <command>sssd_"
+"${service_name}</command>.  This directive allows to change the executable "
+"name for the service. In the vast majority of configurations, the default "
+"values should suffice."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:278
+msgid "Default: <command>sssd_${service_name}</command>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><title>
+#: sssd.conf.5.xml:286
+msgid "NSS configuration options"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sssd.conf.5.xml:288
+msgid ""
+"These options can be used to configure the Name Service Switch (NSS) service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:293
+msgid "enum_cache_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:296
+msgid ""
+"How many seconds should nss_sss cache enumerations (requests for info about "
+"all users)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:300
+msgid "Default: 120"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:305
+msgid "entry_cache_nowait_percentage (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:308
+msgid ""
+"The entry cache can be set to automatically update entries in the background "
+"if they are requested beyond a percentage of the entry_cache_timeout value "
+"for the domain."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:314
+msgid ""
+"For example, if the domain's entry_cache_timeout is set to 30s and "
+"entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
+"after 15 seconds past the last cache update will be returned immediately, "
+"but the SSSD will go and update the cache on its own, so that future "
+"requests will not need to block waiting for a cache update."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:324
+msgid ""
+"Valid values for this option are 0-99 and represent a percentage of the "
+"entry_cache_timeout for each domain. For performance reasons, this "
+"percentage will never reduce the nowait timeout to less than 10 seconds.  (0 "
+"disables this feature)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:337
+msgid "entry_negative_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:340
+msgid ""
+"Specifies for how many seconds nss_sss should cache negative cache hits "
+"(that is, queries for invalid database entries, like nonexistent ones)  "
+"before asking the back end again."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:346 sssd-krb5.5.xml:223
+msgid "Default: 15"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:351
+msgid "filter_users, filter_groups (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:354
+msgid ""
+"Exclude certain users from being fetched from the sss NSS database. This is "
+"particularly useful for system accounts. This option can also be set per-"
+"domain or include fully-qualified names to filter only users from the "
+"particular domain."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:361
+msgid "Default: root"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:366
+msgid "filter_users_in_groups (bool)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:369
+msgid ""
+"If you want filtered user still be group members set this option to false."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:378
+msgid "override_homedir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:387 sssd-krb5.5.xml:166
+msgid "%u"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:388 sssd-krb5.5.xml:167
+msgid "login name"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:391 sssd-krb5.5.xml:170
+msgid "%U"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:392
+msgid "UID number"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:395 sssd-krb5.5.xml:188
+msgid "%d"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:396
+msgid "domain name"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:399
+msgid "%f"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:400
+msgid "fully qualified user name (user@domain)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:403 sssd-krb5.5.xml:200
+msgid "%%"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:404 sssd-krb5.5.xml:201
+msgid "a literal '%'"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:381
+msgid ""
+"Override the user's home directory. You can either provide an absolute value "
+"or a template. In the template, the following sequences are substituted: "
+"<placeholder type=\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:410
+msgid "This option can also be set per-domain."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:415
+msgid "allowed_shells (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:418
+msgid ""
+"Restrict user shell to one of the listed values. The order of evaluation is:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:421
+msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:425
+msgid ""
+"2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
+"quote>, use the value of the shell_fallback parameter."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:430
+msgid ""
+"3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
+"shells</quote>, a nologin shell is used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:435
+msgid "An empty string for shell is passed as-is to libc."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:438
+msgid ""
+"The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
+"that a restart of the SSSD is required in case a new shell is installed."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:442
+msgid "Default: Not set. The user shell is automatically used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:447
+msgid "vetoed_shells (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:450
+msgid "Replace any instance of these shells with the shell_fallback"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:455
+msgid "shell_fallback (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:458
+msgid ""
+"The default shell to use if an allowed shell is not installed on the machine."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:462
+msgid "Default: /bin/sh"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><title>
+#: sssd.conf.5.xml:469
+msgid "PAM configuration options"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sssd.conf.5.xml:471
+msgid ""
+"These options can be used to configure the Pluggable Authentication Module "
+"(PAM) service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:476
+msgid "offline_credentials_expiration (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:479
+msgid ""
+"If the authentication provider is offline, how long should we allow cached "
+"logins (in days since the last successful online login)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:484 sssd.conf.5.xml:497
+msgid "Default: 0 (No limit)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:490
+msgid "offline_failed_login_attempts (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:493
+msgid ""
+"If the authentication provider is offline, how many failed login attempts "
+"are allowed."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:503
+msgid "offline_failed_login_delay (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:506
+msgid ""
+"The time in minutes which has to pass after offline_failed_login_attempts "
+"has been reached before a new login attempt is possible."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:511
+msgid ""
+"If set to 0 the user cannot authenticate offline if "
+"offline_failed_login_attempts has been reached. Only a successful online "
+"authentication can enable enable offline authentication again."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:517 sssd.conf.5.xml:570 sssd.conf.5.xml:906
+msgid "Default: 5"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:523
+msgid "pam_verbosity (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:526
+msgid ""
+"Controls what kind of messages are shown to the user during authentication. "
+"The higher the number to more messages are displayed."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:531
+msgid "Currently sssd supports the following values:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:534
+msgid "<emphasis>0</emphasis>: do not show any message"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:537
+msgid "<emphasis>1</emphasis>: show only important messages"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:541
+msgid "<emphasis>2</emphasis>: show informational messages"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:544
+msgid "<emphasis>3</emphasis>: show all messages and debug information"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:548
+msgid "Default: 1"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:553
+msgid "pam_id_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:556
+msgid ""
+"For any PAM request while SSSD is online, the SSSD will attempt to "
+"immediately update the cached identity information for the user in order to "
+"ensure that authentication takes place with the latest information."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:562
+msgid ""
+"A complete PAM conversation may perform multiple PAM requests, such as "
+"account management and session opening. This option controls (on a per-"
+"client-application basis) how long (in seconds) we can cache the identity "
+"information to avoid excessive round-trips to the identity provider."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:576
+msgid "pam_pwd_expiration_warning (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:579
+msgid "Display a warning N days before the password expires."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:582
+msgid ""
+"Please note that the backend server has to provide information about the "
+"expiration time of the password.  If this information is missing, sssd "
+"cannot display a warning."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:588
+msgid "Default: 7"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd.conf.5.xml:597
+msgid "DOMAIN SECTIONS"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:604
+msgid "min_id,max_id (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:607
+msgid ""
+"UID and GID limits for the domain. If a domain contains an entry that is "
+"outside these limits, it is ignored."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:612
+msgid ""
+"For users, this affects the primary GID limit. The user will not be returned "
+"to NSS if either the UID or the primary GID is outside the range. For non-"
+"primary group memberships, those that are in range will be reported as "
+"expected."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:619
+msgid "Default: 1 for min_id, 0 (no limit) for max_id"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:625
+msgid "timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:628
+msgid ""
+"Timeout in seconds between heartbeats for this domain.  This is used to "
+"ensure that the backend process is alive and capable of answering requests."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:633
+msgid "Default: 10"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:639
+msgid "enumerate (bool)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:642
+msgid ""
+"Determines if a domain can be enumerated. This parameter can have one of the "
+"following values:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:646
+msgid "TRUE = Users and groups are enumerated"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:649
+msgid "FALSE = No enumerations for this domain"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:652 sssd.conf.5.xml:704 sssd.conf.5.xml:758
+msgid "Default: FALSE"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:655
+msgid ""
+"Note: Enabling enumeration has a moderate performance impact on SSSD while "
+"enumeration is running. It may take up to several minutes after SSSD startup "
+"to fully complete enumerations.  During this time, individual requests for "
+"information will go directly to LDAP, though it may be slow, due to the "
+"heavy enumeration processing."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:665
+msgid ""
+"While the first enumeration is running, requests for the complete user or "
+"group lists may return no results until it completes."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:670
+msgid ""
+"Further, enabling enumeration may increase the time necessary to detect "
+"network disconnection, as longer timeouts are required to ensure that "
+"enumeration lookups are completed successfully.  For more information, refer "
+"to the man pages for the specific id_provider in use."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:681
+msgid "entry_cache_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:684
+msgid ""
+"How many seconds should nss_sss consider entries valid before asking the "
+"backend again"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:688
+msgid "Default: 5400"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:693
+msgid "cache_credentials (bool)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:696
+msgid "Determines if user credentials are also cached in the local LDB cache"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:700
+msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:709
+msgid "account_cache_expiration (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:712
+msgid ""
+"Number of days entries are left in cache after last successful login before "
+"being removed during a cleanup of the cache. 0 means keep forever.  The "
+"value of this parameter must be greater than or equal to "
+"offline_credentials_expiration."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:719
+msgid "Default: 0 (unlimited)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:725
+msgid "id_provider (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:728
+msgid "The Data Provider identity backend to use for this domain."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:732
+msgid "Supported backends:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:735
+msgid "proxy: Support a legacy NSS provider"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:738
+msgid "local: SSSD internal local provider"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:741
+msgid "ldap: LDAP provider"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:747
+msgid "use_fully_qualified_names (bool)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:750
+msgid ""
+"If set to TRUE, all requests to this domain must use fully qualified names. "
+"For example, if used in LOCAL domain that contains a \"test\" user, "
+"<command>getent passwd test</command> wouldn't find the user while "
+"<command>getent passwd test@LOCAL</command> would."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:763
+msgid "auth_provider (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:766
+msgid ""
+"The authentication provider used for the domain.  Supported auth providers "
+"are:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:770
+msgid ""
+"<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
+"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+"citerefentry> for more information on configuring LDAP."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:777
+msgid ""
+"<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
+"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
+"citerefentry> for more information on configuring Kerberos."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:784
+msgid ""
+"<quote>proxy</quote> for relaying authentication to some other PAM target."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:787
+msgid "<quote>none</quote> disables authentication explicitly."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:790
+msgid ""
+"Default: <quote>id_provider</quote> is used if it is set and can handle "
+"authentication requests."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:796
+msgid "access_provider (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:799
+msgid ""
+"The access control provider used for the domain.  There are two built-in "
+"access providers (in addition to any included in installed backends)  "
+"Internal special providers are:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:805
+msgid "<quote>permit</quote> always allow access."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:808
+msgid "<quote>deny</quote> always deny access."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:811
+msgid ""
+"<quote>simple</quote> access control based on access or deny lists. See "
+"<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
+"manvolnum></citerefentry> for more information on configuring the simple "
+"access module."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:818
+msgid "Default: <quote>permit</quote>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:823
+msgid "chpass_provider (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:826
+msgid ""
+"The provider which should handle change password operations for the domain.  "
+"Supported change password providers are:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:831
+msgid ""
+"<quote>ipa</quote> to change a password stored in an IPA server.  See "
+"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> for more information on configuring IPA."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:839
+msgid ""
+"<quote>ldap</quote> to change a password stored in a LDAP server.  See "
+"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> for more information on configuring LDAP."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:847
+msgid ""
+"<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
+"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
+"citerefentry> for more information on configuring Kerberos."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:855
+msgid ""
+"<quote>proxy</quote> for relaying password changes to some other PAM target."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:859
+msgid "<quote>none</quote> disallows password changes explicitly."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:862
+msgid ""
+"Default: <quote>auth_provider</quote> is used if it is set and can handle "
+"change password requests."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:869
+msgid "lookup_family_order (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:872
+msgid ""
+"Provides the ability to select preferred address family to use when "
+"performing DNS lookups."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:876
+msgid "Supported values:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:879
+msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:882
+msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:885
+msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:888
+msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:891
+msgid "Default: ipv4_first"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:897
+msgid "dns_resolver_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:900
+msgid ""
+"Defines the amount of time (in seconds) to wait for a reply from the DNS "
+"resolver before assuming that it is unreachable. If this timeout is reached, "
+"the domain will continue to operate in offline mode."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:912
+msgid "dns_discovery_domain (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:915
+msgid ""
+"If service discovery is used in the back end, specifies the domain part of "
+"the service discovery DNS query."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:919
+msgid "Default: Use the domain part of machine's hostname"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:925
+msgid "override_gid (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:928
+msgid "Override the primary GID value with the one specified."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:599
+msgid ""
+"These configuration options can be present in a domain configuration "
+"section, that is, in a section called <quote>[domain/<replaceable>NAME</"
+"replaceable>]</quote> <placeholder type=\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:940
+msgid "proxy_pam_target (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:943
+msgid "The proxy target PAM proxies to."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:946
+msgid ""
+"Default: not set by default, you have to take an existing pam configuration "
+"or create a new one and add the service name here."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:954
+msgid "proxy_lib_name (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:957
+msgid ""
+"The name of the NSS library to use in proxy domains. The NSS functions "
+"searched for in the library are in the form of _nss_$(libName)_$(function), "
+"for example _nss_files_getpwent."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:936
+msgid ""
+"Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
+"\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><title>
+#: sssd.conf.5.xml:969
+msgid "The local domain section"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sssd.conf.5.xml:971
+msgid ""
+"This section contains settings for domain that stores users and groups in "
+"SSSD native database, that is, a domain that uses "
+"<replaceable>id_provider=local</replaceable>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:978
+msgid "default_shell (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:981
+msgid "The default shell for users created with SSSD userspace tools."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:985
+msgid "Default: <filename>/bin/bash</filename>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:990
+msgid "base_directory (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:993
+msgid ""
+"The tools append the login name to <replaceable>base_directory</replaceable> "
+"and use that as the home directory."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:998
+msgid "Default: <filename>/home</filename>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1003
+msgid "create_homedir (bool)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1006
+msgid ""
+"Indicate if a home directory should be created by default for new users.  "
+"Can be overridden on command line."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1010 sssd.conf.5.xml:1022
+msgid "Default: TRUE"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1015
+msgid "remove_homedir (bool)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1018
+msgid ""
+"Indicate if a home directory should be removed by default for deleted "
+"users.  Can be overridden on command line."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1027
+msgid "homedir_umask (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1030
+msgid ""
+"Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
+"<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
+"on a newly created home directory."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1038
+msgid "Default: 077"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1043
+msgid "skel_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1046
+msgid ""
+"The skeleton directory, which contains files and directories to be copied in "
+"the user's home directory, when the home directory is created by "
+"<citerefentry> <refentrytitle>sss_useradd</refentrytitle> <manvolnum>8</"
+"manvolnum> </citerefentry>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1056
+msgid "Default: <filename>/etc/skel</filename>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1061
+msgid "mail_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1064
+msgid ""
+"The mail spool directory. This is needed to manipulate the mailbox when its "
+"corresponding user account is modified or deleted.  If not specified, a "
+"default value is used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1071
+msgid "Default: <filename>/var/mail</filename>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1076
+msgid "userdel_cmd (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1079
+msgid ""
+"The command that is run after a user is removed.  The command us passed the "
+"username of the user being removed as the first and only parameter. The "
+"return code of the command is not taken into account."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1085
+msgid "Default: None, no command is run"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd.conf.5.xml:1095 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
+#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:408
+msgid "EXAMPLE"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd.conf.5.xml:1101
+#, no-wrap
+msgid ""
+"[sssd]\n"
+"domains = LDAP\n"
+"services = nss, pam\n"
+"config_file_version = 2\n"
+"\n"
+"[nss]\n"
+"filter_groups = root\n"
+"filter_users = root\n"
+"\n"
+"[pam]\n"
+"\n"
+"[domain/LDAP]\n"
+"id_provider = ldap\n"
+"ldap_uri = ldap://ldap.example.com\n"
+"ldap_search_base = dc=example,dc=com\n"
+"\n"
+"auth_provider = krb5\n"
+"krb5_server = kerberos.example.com\n"
+"krb5_realm = EXAMPLE.COM\n"
+"cache_credentials = true\n"
+"\n"
+"min_id = 10000\n"
+"max_id = 20000\n"
+"enumerate = False\n"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:1097
+msgid ""
+"The following example shows a typical SSSD config. It does not describe "
+"configuration of the domains themselves - refer to documentation on "
+"configuring domains for more details.  <placeholder type=\"programlisting\" "
+"id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:1132
+msgid ""
+"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
+"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_groupdel</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_groupmod</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_useradd</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_usermod</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>pam_sss</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd-ldap.5.xml:10 sssd-ldap.5.xml:16
+msgid "sssd-ldap"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ldap.5.xml:23
+msgid ""
+"This manual page describes the configuration of LDAP domains for "
+"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
+"</citerefentry>.  Refer to the <quote>FILE FORMAT</quote> section of the "
+"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> manual page for detailed syntax information."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ldap.5.xml:35
+msgid "You can configure SSSD to use more than one LDAP domain."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ldap.5.xml:38
+msgid ""
+"LDAP back end supports id, auth, access and chpass providers. If you want to "
+"authenticate against an LDAP server either TLS/SSL or LDAPS is required. "
+"<command>sssd</command> <emphasis>does not</emphasis> support authentication "
+"over an unencrypted channel.  If the LDAP server is used only as an identity "
+"provider, an encrypted channel is not needed. Please refer to "
+"<quote>ldap_access_filter</quote> config option for more information about "
+"using LDAP as an access provider."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:61
+#: sssd-krb5.5.xml:63
+msgid "CONFIGURATION OPTIONS"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:60
+msgid "ldap_uri (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:63
+msgid ""
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference. Refer to the <quote>FAILOVER</"
+"quote> section for more information on failover and server redundancy.  If "
+"not specified, service discovery is enabled. For more information, refer to "
+"the <quote>SERVICE DISCOVERY</quote> section."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:70
+msgid "The format of the URI must match the format defined in RFC 2732:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:73
+msgid "ldap[s]://&lt;host&gt;[:port]"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:76
+msgid ""
+"For explicit IPv6 addresses, &lt;host&gt; must be enclosed in brackets []"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:79
+msgid "example: ldap://[fc00::126:25]:389"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:85
+msgid "ldap_chpass_uri (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:88
+msgid ""
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference to change the password of a user. "
+"Refer to the <quote>FAILOVER</quote> section for more information on "
+"failover and server redundancy."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:95
+msgid "To enable service discovery ldap_chpass_dns_service_name must be set."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:99
+msgid "Default: empty, i.e. ldap_uri is used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:105
+msgid "ldap_search_base (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:108
+msgid "The default base DN to use for performing LDAP user operations."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:112
+msgid ""
+"Default: If not set the value of the defaultNamingContext or namingContexts "
+"attribute from the RootDSE of the LDAP server is used. If "
+"defaultNamingContext does not exists or has an empty value namingContexts is "
+"used.  The namingContexts attribute must have a single value with the DN of "
+"the search base of the LDAP server to make this work. Multiple values are "
+"are not supported."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:126
+msgid "ldap_schema (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:129
+msgid ""
+"Specifies the Schema Type in use on the target LDAP server.  Depending on "
+"the selected schema, the default attribute names retrieved from the servers "
+"may vary.  The way that some attributes are handled may also differ.  Three "
+"schema types are currently supported: rfc2307 rfc2307bis IPA The main "
+"difference between these schema types is how group memberships are recorded "
+"in the server.  With rfc2307, group members are listed by name in the "
+"<emphasis>memberUid</emphasis> attribute.  With rfc2307bis and IPA, group "
+"members are listed by DN and stored in the <emphasis>member</emphasis> "
+"attribute."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:148
+msgid "Default: rfc2307"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:154
+msgid "ldap_default_bind_dn (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:157
+msgid "The default bind DN to use for performing LDAP operations."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:164
+msgid "ldap_default_authtok_type (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:167
+msgid "The type of the authentication token of the default bind DN."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:171
+msgid "The two mechanisms currently supported are:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:174
+msgid "password"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:177
+msgid "obfuscated_password"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:180
+msgid "Default: password"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:186
+msgid "ldap_default_authtok (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:189
+msgid ""
+"The authentication token of the default bind DN.  Only clear text passwords "
+"are currently supported."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:196
+msgid "ldap_user_object_class (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:199
+msgid "The object class of a user entry in LDAP."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:202
+msgid "Default: posixAccount"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:208
+msgid "ldap_user_name (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:211
+msgid "The LDAP attribute that corresponds to the user's login name."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:215
+msgid "Default: uid"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:221
+msgid "ldap_user_uid_number (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:224
+msgid "The LDAP attribute that corresponds to the user's id."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:228
+msgid "Default: uidNumber"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:234
+msgid "ldap_user_gid_number (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:237
+msgid "The LDAP attribute that corresponds to the user's primary group id."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:241 sssd-ldap.5.xml:637
+msgid "Default: gidNumber"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:247
+msgid "ldap_user_gecos (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:250
+msgid "The LDAP attribute that corresponds to the user's gecos field."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:254
+msgid "Default: gecos"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:260
+msgid "ldap_user_home_directory (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:263
+msgid "The LDAP attribute that contains the name of the user's home directory."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:267
+msgid "Default: homeDirectory"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:273
+msgid "ldap_user_shell (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:276
+msgid "The LDAP attribute that contains the path to the user's default shell."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:280
+msgid "Default: loginShell"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:286
+msgid "ldap_user_uuid (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:289
+msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:293 sssd-ldap.5.xml:663 sssd-ldap.5.xml:756
+msgid "Default: nsUniqueId"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:299
+msgid "ldap_user_modify_timestamp (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:302 sssd-ldap.5.xml:672 sssd-ldap.5.xml:765
+msgid ""
+"The LDAP attribute that contains timestamp of the last modification of the "
+"parent object."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:306 sssd-ldap.5.xml:676 sssd-ldap.5.xml:769
+msgid "Default: modifyTimestamp"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:312
+msgid "ldap_user_shadow_last_change (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:315
+msgid ""
+"When using ldap_pwd_policy=shadow, this parameter contains the name of an "
+"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of "
+"the last password change)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:325
+msgid "Default: shadowLastChange"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:331
+msgid "ldap_user_shadow_min (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:334
+msgid ""
+"When using ldap_pwd_policy=shadow, this parameter contains the name of an "
+"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum "
+"password age)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:343
+msgid "Default: shadowMin"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:349
+msgid "ldap_user_shadow_max (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:352
+msgid ""
+"When using ldap_pwd_policy=shadow, this parameter contains the name of an "
+"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum "
+"password age)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:361
+msgid "Default: shadowMax"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:367
+msgid "ldap_user_shadow_warning (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:370
+msgid ""
+"When using ldap_pwd_policy=shadow, this parameter contains the name of an "
+"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart "
+"(password warning period)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:380
+msgid "Default: shadowWarning"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:386
+msgid "ldap_user_shadow_inactive (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:389
+msgid ""
+"When using ldap_pwd_policy=shadow, this parameter contains the name of an "
+"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart "
+"(password inactivity period)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:399
+msgid "Default: shadowInactive"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:405
+msgid "ldap_user_shadow_expire (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:408
+msgid ""
+"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this "
+"parameter contains the name of an LDAP attribute corresponding to its "
+"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> counterpart (account expiration date)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:418
+msgid "Default: shadowExpire"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:424
+msgid "ldap_user_krb_last_pwd_change (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:427
+msgid ""
+"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of "
+"an LDAP attribute storing the date and time of last password change in "
+"kerberos."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:433
+msgid "Default: krbLastPwdChange"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:439
+msgid "ldap_user_krb_password_expiration (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:442
+msgid ""
+"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of "
+"an LDAP attribute storing the date and time when current password expires."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:448
+msgid "Default: krbPasswordExpiration"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:454
+msgid "ldap_user_ad_account_expires (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:457
+msgid ""
+"When using ldap_account_expire_policy=ad, this parameter contains the name "
+"of an LDAP attribute storing the expiration time of the account."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:462
+msgid "Default: accountExpires"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:468
+msgid "ldap_user_ad_user_account_control (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:471
+msgid ""
+"When using ldap_account_expire_policy=ad, this parameter contains the name "
+"of an LDAP attribute storing the user account control bit field."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:476
+msgid "Default: userAccountControl"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:482
+msgid "ldap_ns_account_lock (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:485
+msgid ""
+"When using ldap_account_expire_policy=rhds or equivalent, this parameter "
+"determines if access is allowed or not."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:490
+msgid "Default: nsAccountLock"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:496
+msgid "ldap_user_principal (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:499
+msgid ""
+"The LDAP attribute that contains the user's Kerberos User Principal Name "
+"(UPN)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:503
+msgid "Default: krbPrincipalName"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:509
+msgid "ldap_force_upper_case_realm (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:512
+msgid ""
+"Some directory servers, for example Active Directory, might deliver the "
+"realm part of the UPN in lower case, which might cause the authentication to "
+"fail. Set this option to a non-zero value if you want to use an upper-case "
+"realm."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:519 sssd-ldap.5.xml:990 sssd-ipa.5.xml:115 sssd.8.xml:64
+#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:269
+msgid "Default: false"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:525
+msgid "ldap_enumeration_refresh_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:528
+msgid ""
+"The LDAP attribute that contains how many seconds SSSD has to wait before "
+"refreshing its cache of enumerated records."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:533
+msgid "Default: 300"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:539
+msgid "ldap_purge_cache_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:542
+msgid ""
+"Determine how often to check the cache for inactive entries (such as groups "
+"with no members and users who have never logged in) and remove them to save "
+"space."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:548
+msgid "Setting this option to zero will disable the cache cleanup operation."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:552
+msgid "Default: 10800 (12 hours)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:558
+msgid "ldap_user_fullname (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:561
+msgid "The LDAP attribute that corresponds to the user's full name."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:565 sssd-ldap.5.xml:624 sssd-ldap.5.xml:717
+msgid "Default: cn"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:571
+msgid "ldap_user_member_of (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:574
+msgid "The LDAP attribute that lists the user's group memberships."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:578
+msgid "Default: memberOf"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:584
+msgid "ldap_user_authorized_service (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:587
+msgid ""
+"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will "
+"use the presence of the authorizedService attribute in the user's LDAP entry "
+"to determine access privilege."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:594
+msgid ""
+"An explicit deny (!svc) is resolved first. Second, SSSD searches for "
+"explicit allow (svc) and finally for allow_all (*)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:599
+msgid "Default: authorizedService"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:605
+msgid "ldap_group_object_class (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:608
+msgid "The object class of a group entry in LDAP."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:611
+msgid "Default: posixGroup"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:617
+msgid "ldap_group_name (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:620
+msgid "The LDAP attribute that corresponds to the group name."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:630
+msgid "ldap_group_gid_number (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:633
+msgid "The LDAP attribute that corresponds to the group's id."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:643
+msgid "ldap_group_member (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:646
+msgid "The LDAP attribute that contains the names of the group's members."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:650
+msgid "Default: memberuid (rfc2307) / member (rfc2307bis)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:656
+msgid "ldap_group_uuid (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:659
+msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:669
+msgid "ldap_group_modify_timestamp (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:682
+msgid "ldap_group_nesting_level (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:685
+msgid ""
+"If ldap_schema is set to a schema format that supports nested groups (e.g. "
+"RFC2307bis), then this option controls how many levels of nesting SSSD will "
+"follow. This option has no effect on the RFC2307 schema."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:692
+msgid "Default: 2"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:698
+msgid "ldap_netgroup_object_class (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:701
+msgid "The object class of a netgroup entry in LDAP."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:704
+msgid "Default: nisNetgroup"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:710
+msgid "ldap_netgroup_name (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:713
+msgid "The LDAP attribute that corresponds to the netgroup name."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:723
+msgid "ldap_netgroup_member (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:726
+msgid "The LDAP attribute that contains the names of the netgroup's members."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:730
+msgid "Default: memberNisNetgroup"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:736
+msgid "ldap_netgroup_triple (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:739
+msgid ""
+"The LDAP attribute that contains the (host, user, domain) netgroup triples."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:743
+msgid "Default: nisNetgroupTriple"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:749
+msgid "ldap_netgroup_uuid (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:752
+msgid ""
+"The LDAP attribute that contains the UUID/GUID of an LDAP netgroup object."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:762
+msgid "ldap_netgroup_modify_timestamp (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:775
+msgid "ldap_search_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:778
+msgid ""
+"Specifies the timeout (in seconds) that ldap searches are allowed to run "
+"before they are cancelled and cached results are returned (and offline mode "
+"is entered)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:784
+msgid ""
+"Note: this option is subject to change in future versions of the SSSD. It "
+"will likely be replaced at some point by a series of timeouts for specific "
+"lookup types."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:790 sssd-ldap.5.xml:832 sssd-ldap.5.xml:847
+msgid "Default: 6"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:796
+msgid "ldap_enumeration_search_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:799
+msgid ""
+"Specifies the timeout (in seconds) that ldap searches for user and group "
+"enumerations are allowed to run before they are cancelled and cached results "
+"are returned (and offline mode is entered)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:806
+msgid "Default: 60"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:812
+msgid "ldap_network_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:815
+msgid ""
+"Specifies the timeout (in seconds) after which the <citerefentry> "
+"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/"
+"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</"
+"manvolnum> </citerefentry> following a <citerefentry> "
+"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </"
+"citerefentry> returns in case of no activity."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:838
+msgid "ldap_opt_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:841
+msgid ""
+"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs "
+"will abort if no response is received. Also controls the timeout when "
+"communicating with the KDC in case of SASL bind."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:853
+msgid "ldap_page_size (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:856
+msgid ""
+"Specify the number of records to retrieve from LDAP in a single request. "
+"Some LDAP servers enforce a maximum limit per-request."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:861
+msgid "Default: 1000"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:867
+msgid "ldap_tls_reqcert (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:870
+msgid ""
+"Specifies what checks to perform on server certificates in a TLS session, if "
+"any. It can be specified as one of the following values:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:876
+msgid ""
+"<emphasis>never</emphasis> = The client will not request or check any server "
+"certificate."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:880
+msgid ""
+"<emphasis>allow</emphasis> = The server certificate is requested. If no "
+"certificate is provided, the session proceeds normally. If a bad certificate "
+"is provided, it will be ignored and the session proceeds normally."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:887
+msgid ""
+"<emphasis>try</emphasis> = The server certificate is requested. If no "
+"certificate is provided, the session proceeds normally. If a bad certificate "
+"is provided, the session is immediately terminated."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:893
+msgid ""
+"<emphasis>demand</emphasis> = The server certificate is requested. If no "
+"certificate is provided, or a bad certificate is provided, the session is "
+"immediately terminated."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:899
+msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:903
+msgid "Default: hard"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:909
+msgid "ldap_tls_cacert (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:912
+msgid ""
+"Specifies the file that contains certificates for all of the Certificate "
+"Authorities that <command>sssd</command> will recognize."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:917 sssd-ldap.5.xml:935 sssd-ldap.5.xml:976
+msgid ""
+"Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap."
+"conf</filename>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:924
+msgid "ldap_tls_cacertdir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:927
+msgid ""
+"Specifies the path of a directory that contains Certificate Authority "
+"certificates in separate individual files. Typically the file names need to "
+"be the hash of the certificate followed by '.0'.  If available, "
+"<command>cacertdir_rehash</command> can be used to create the correct names."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:942
+msgid "ldap_tls_cert (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:945
+msgid "Specifies the file that contains the certificate for the client's key."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:359
+msgid "Default: not set"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:955
+msgid "ldap_tls_key (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:958
+msgid "Specifies the file that contains the client's key."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:967
+msgid "ldap_tls_cipher_suite (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:970
+msgid ""
+"Specifies acceptable cipher suites.  Typically this is a colon sperated "
+"list.  See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
+"<manvolnum>5</manvolnum></citerefentry> for format."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:983
+msgid "ldap_id_use_start_tls (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:986
+msgid ""
+"Specifies that the id_provider connection must also use <systemitem class="
+"\"protocol\">tls</systemitem> to protect the channel."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:996
+msgid "ldap_sasl_mech (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:999
+msgid ""
+"Specify the SASL mechanism to use.  Currently only GSSAPI is tested and "
+"supported."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1003 sssd-ldap.5.xml:1145
+msgid "Default: none"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1009
+msgid "ldap_sasl_authid (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1012
+msgid ""
+"Specify the SASL authorization id to use.  When GSSAPI is used, this "
+"represents the Kerberos principal used for authentication to the directory."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1017
+msgid "Default: host/machine.fqdn@REALM"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1023
+msgid "ldap_sasl_canonicalize (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1026
+msgid ""
+"If set to true, the LDAP library would perform a reverse lookup to "
+"canonicalize the host name during a SASL bind."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1031
+msgid "Default: false;"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1037
+msgid "ldap_krb5_keytab (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1040
+msgid "Specify the keytab to use when using SASL/GSSAPI."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1043
+msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1049
+msgid "ldap_krb5_init_creds (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1052
+msgid ""
+"Specifies that the id_provider should init Kerberos credentials (TGT).  This "
+"action is performed only if SASL is used and the mechanism selected is "
+"GSSAPI."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1064
+msgid "ldap_krb5_ticket_lifetime (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1067
+msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1071
+msgid "Default: 86400 (24 hours)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1077 sssd-krb5.5.xml:74
+msgid "krb5_server (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1080 sssd-krb5.5.xml:77
+msgid ""
+"Specifies the comma-separated list of IP addresses or hostnames of the "
+"Kerberos servers to which SSSD should connect in the order of preference. "
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
+"colon) may be appended to the addresses or hostnames.  If empty, service "
+"discovery is enabled - for more information, refer to the <quote>SERVICE "
+"DISCOVERY</quote> section."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1092 sssd-krb5.5.xml:89
+msgid ""
+"When using service discovery for KDC or kpasswd servers, SSSD first searches "
+"for DNS entries that specify _udp as the protocol and falls back to _tcp if "
+"none are found."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1097 sssd-krb5.5.xml:94
+msgid ""
+"This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. "
+"While the legacy name is recognized for the time being, users are advised to "
+"migrate their config files to use <quote>krb5_server</quote> instead."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1106 sssd-ipa.5.xml:165 sssd-krb5.5.xml:103
+msgid "krb5_realm (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1109
+msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1112
+msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1118
+msgid "ldap_pwd_policy (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1121
+msgid ""
+"Select the policy to evaluate the password expiration on the client side. "
+"The following values are allowed:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1126
+msgid ""
+"<emphasis>none</emphasis> - No evaluation on the client side. This option "
+"cannot disable server-side password policies."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1131
+msgid ""
+"<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</"
+"refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to "
+"evaluate if the password has expired.  Note that the current version of sssd "
+"cannot update this attribute during a password change."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1139
+msgid ""
+"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
+"to determine if the password has expired. Use chpass_provider=krb5 to update "
+"these attributes when the password is changed."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1151
+msgid "ldap_referrals (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1154
+msgid "Specifies whether automatic referral chasing should be enabled."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1158
+msgid ""
+"Please note that sssd only supports referral chasing when it is compiled "
+"with OpenLDAP version 2.4.13 or higher."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1169
+msgid "ldap_dns_service_name (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1172
+msgid "Specifies the service name to use when service discovery is enabled."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1176
+msgid "Default: ldap"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1182
+msgid "ldap_chpass_dns_service_name (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1185
+msgid ""
+"Specifies the service name to use to find an LDAP server which allows "
+"password changes when service discovery is enabled."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1190
+msgid "Default: not set, i.e. service discovery is disabled"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1196
+msgid "ldap_access_filter (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1199
+msgid ""
+"If using access_provider = ldap, this option is mandatory. It specifies an "
+"LDAP search filter criteria that must be met for the user to be granted "
+"access on this host. If access_provider = ldap and this option is not set, "
+"it will result in all users being denied access. Use access_provider = allow "
+"to change this default behavior."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1209
+msgid "Example:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
+#: sssd-ldap.5.xml:1212
+#, no-wrap
+msgid ""
+"access_provider = ldap\n"
+"ldap_access_filter = memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1216
+msgid ""
+"This example means that access to this host is restricted to members of the "
+"\"allowedusers\" group in ldap."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1221
+msgid ""
+"Offline caching for this feature is limited to determining whether the "
+"user's last online login was granted access permission. If they were granted "
+"access during their last login, they will continue to be granted access "
+"while offline and vice-versa."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1229 sssd-ldap.5.xml:1270
+msgid "Default: Empty"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1235
+msgid "ldap_account_expire_policy (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1238
+msgid ""
+"With this option a client side evaluation of access control attributes can "
+"be enabled."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1242
+msgid ""
+"Please note that it is always recommended to use server side access control, "
+"i.e. the LDAP server should deny the bind request with a suitable error code "
+"even if the password is correct."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1249
+msgid "The following values are allowed:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1252
+msgid ""
+"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
+"determine if the account is expired."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1257
+msgid ""
+"<emphasis>ad</emphasis>: use the value of the 32bit field "
+"ldap_user_ad_user_account_control and allow access if the second bit is not "
+"set. If the attribute is missing access is granted. Also the expiration time "
+"of the account is checked."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1264
+msgid ""
+"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</"
+"emphasis>: use the value of ldap_ns_account_lock to check if access is "
+"allowed or not."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1276
+msgid "ldap_access_order (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1279
+msgid "Comma separated list of access control options.  Allowed values are:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1283
+msgid "<emphasis>filter</emphasis>: use ldap_access_filter"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1286
+msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1290
+msgid ""
+"<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
+"to determine access"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1295
+msgid "Default: filter"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1298
+msgid ""
+"Please note that it is a configuration error if a value is used more than "
+"once."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1305
+msgid "ldap_deref (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1308
+msgid ""
+"Specifies how alias dereferencing is done when performing a search. The "
+"following options are allowed:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1313
+msgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1317
+msgid ""
+"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
+"the base object, but not in locating the base object of the search."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1322
+msgid ""
+"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
+"the base object of the search."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1327
+msgid ""
+"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
+"in locating the base object of the search."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1332
+msgid ""
+"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
+"client libraries)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ldap.5.xml:51
+msgid ""
+"All of the common configuration options that apply to SSSD domains also "
+"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section "
+"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> manual page for full details.  <placeholder type="
+"\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-ldap.5.xml:1344
+msgid "ADVANCED OPTIONS"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1351
+msgid "ldap_netgroup_search_base (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1354
+msgid ""
+"An optional base DN to restrict netgroup searches to a specific subtree."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1358 sssd-ldap.5.xml:1372 sssd-ldap.5.xml:1386
+msgid "Default: the value of <emphasis>ldap_search_base</emphasis>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1365
+msgid "ldap_user_search_base (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1368
+msgid "An optional base DN to restrict user searches to a specific subtree."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1379
+msgid "ldap_group_search_base (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1382
+msgid "An optional base DN to restrict group searches to a specific subtree."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ldap.5.xml:1346
+msgid ""
+"These options are supported by LDAP domains, but they should be used with "
+"caution. Please include them in your configuration only if you know what you "
+"are doing.  <placeholder type=\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ldap.5.xml:1402
+msgid ""
+"The following example assumes that SSSD is correctly configured and LDAP is "
+"set to one of the domains in the <replaceable>[domains]</replaceable> "
+"section."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-ldap.5.xml:1408
+#, no-wrap
+msgid ""
+"    [domain/LDAP]\n"
+"    id_provider = ldap\n"
+"    auth_provider = ldap\n"
+"    ldap_uri = ldap://ldap.mydomain.org\n"
+"    ldap_search_base = dc=mydomain,dc=org\n"
+"    ldap_tls_reqcert = demand\n"
+"    cache_credentials = true\n"
+"    enumerate = true\n"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ldap.5.xml:1407 sssd-simple.5.xml:134 sssd-ipa.5.xml:238
+#: sssd-krb5.5.xml:417
+msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-ldap.5.xml:1421 sssd_krb5_locator_plugin.8.xml:61
+msgid "NOTES"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ldap.5.xml:1423
+msgid ""
+"The descriptions of some of the configuration options in this manual page "
+"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 "
+"distribution."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ldap.5.xml:1434
+msgid ""
+"<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
+"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </citerefentry>"
+msgstr ""
+
+#. type: Content of: <refentryinfo>
+#: pam_sss.8.xml:8 include/upstream.xml:2
+msgid ""
+"<productname>SSSD</productname> <orgname>The SSSD upstream - http://"
+"fedorahosted.org/sssd</orgname>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: pam_sss.8.xml:13 pam_sss.8.xml:18
+msgid "pam_sss"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: pam_sss.8.xml:19
+msgid "PAM module for SSSD"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: pam_sss.8.xml:24
+msgid ""
+"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
+"arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: pam_sss.8.xml:45
+msgid ""
+"<command>pam_sss.so</command> is the PAM interface to the System Security "
+"Services daemon (SSSD). Errors and results are logged through <command>syslog"
+"(3)</command> with the LOG_AUTHPRIV facility."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:55
+msgid "<option>quiet</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:58
+msgid "Suppress log messages for unknown users."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:63
+msgid "<option>forward_pass</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:66
+msgid ""
+"If <option>forward_pass</option> is set the entered password is put on the "
+"stack for other PAM modules to use."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:73
+msgid "<option>use_first_pass</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:76
+msgid ""
+"The argument use_first_pass forces the module to use a previous stacked "
+"modules password and will never prompt the user - if no password is "
+"available or the password is not appropriate, the user will be denied access."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:84
+msgid "<option>use_authtok</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:87
+msgid ""
+"When password changing enforce the module to set the new password to the one "
+"provided by a previously stacked password module."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:94
+msgid "<option>retry=N</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:97
+msgid ""
+"If specified the user is asked another N times for a password if "
+"authentication fails. Default is 0."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:99
+msgid ""
+"Please note that this option might not work as expected if the application "
+"calling PAM handles the user dialog on its own. A typical example is "
+"<command>sshd</command> with <option>PasswordAuthentication</option>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: pam_sss.8.xml:110
+msgid "MODULE TYPES PROVIDED"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: pam_sss.8.xml:111
+msgid ""
+"All module types (<option>account</option>, <option>auth</option>, "
+"<option>password</option> and <option>session</option>) are provided."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: pam_sss.8.xml:117
+msgid "FILES"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: pam_sss.8.xml:118
+msgid ""
+"If a password reset by root fails, because the corresponding SSSD provider "
+"does not support password resets, an individual message can be displayed. "
+"This message can e.g. contain instructions about how to reset a password."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: pam_sss.8.xml:123
+msgid ""
+"The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
+"filename> where LOC stands for a locale string returned by <citerefentry> "
+"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </"
+"citerefentry>. If there is no matching file the content of "
+"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be "
+"the owner of the files and only root may have read and write permissions "
+"while all other users must have only read permisssions."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: pam_sss.8.xml:133
+msgid ""
+"These files are searched in the directory <filename>/etc/sssd/customize/"
+"DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
+"displayed."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: pam_sss.8.xml:141
+msgid ""
+"<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>8</"
+"manvolnum> </citerefentry>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15
+msgid "sssd_krb5_locator_plugin"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd_krb5_locator_plugin.8.xml:22
+msgid ""
+"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is "
+"used by the Kerberos provider of <citerefentry> <refentrytitle>sssd</"
+"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> to tell the Kerberos "
+"libraries what Realm and which KDC to use.  Typically this is done in "
+"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> which is always read by the Kerberos libraries. "
+"To simplyfy the configuration the Realm and the KDC can be defined in "
+"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> as described in <citerefentry> "
+"<refentrytitle>sssd-krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </"
+"citerefentry>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd_krb5_locator_plugin.8.xml:48
+msgid ""
+"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
+"</citerefentry> puts the Realm and the name or IP address of the KDC into "
+"the environment variables SSSD_KRB5_REALM and SSSD_KRB5_KDC respectively.  "
+"When <command>sssd_krb5_locator_plugin</command> is called by the kerberos "
+"libraries it reads and evaluates these variable and returns them to the "
+"libraries."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd_krb5_locator_plugin.8.xml:63
+msgid ""
+"Not all Kerberos implementations support the use of plugins. If "
+"<command>sssd_krb5_locator_plugin</command> is not available on your system "
+"you have to edit /etc/krb5.conf to reflect your Kerberos setup."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd_krb5_locator_plugin.8.xml:69
+msgid ""
+"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value "
+"debug messages will be sent to stderr."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd_krb5_locator_plugin.8.xml:77
+msgid ""
+"<citerefentry> <refentrytitle>sssd-krb5</refentrytitle><manvolnum>5</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd.conf</"
+"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </citerefentry>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd-simple.5.xml:10 sssd-simple.5.xml:16
+msgid "sssd-simple"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sssd-simple.5.xml:17
+msgid "the configuration file for SSSD's 'simple' access-control provider"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-simple.5.xml:24
+msgid ""
+"This manual page describes the configuration of the simple access-control "
+"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> "
+"<manvolnum>8</manvolnum> </citerefentry>.  For a detailed syntax reference, "
+"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> "
+"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
+"citerefentry> manual page."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-simple.5.xml:38
+msgid ""
+"The simple access provider grants or denies access based on an access or "
+"deny list of user or group names. The following rules apply:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
+#: sssd-simple.5.xml:43
+msgid "If all lists are empty, access is granted"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
+#: sssd-simple.5.xml:47
+msgid ""
+"If any list is provided, the order of evaluation is allow,deny. This means "
+"that any matching deny rule will supersede any matched allow rule."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
+#: sssd-simple.5.xml:54
+msgid ""
+"If either or both \"allow\" lists are provided, all users are denied unless "
+"they appear in the list."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
+#: sssd-simple.5.xml:60
+msgid ""
+"If only \"deny\" lists are provided, all users are granted access unless "
+"they appear in the list."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-simple.5.xml:78
+msgid "simple_allow_users (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-simple.5.xml:81
+msgid "Comma separated list of users who are allowed to log in."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-simple.5.xml:88
+msgid "simple_deny_users (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-simple.5.xml:91
+msgid "Comma separated list of users who are explicitly denied access."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-simple.5.xml:97
+msgid "simple_allow_groups (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-simple.5.xml:100
+msgid ""
+"Comma separated list of groups that are allowed to log in. This applies only "
+"to groups within this SSSD domain. Local groups are not evaluated."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-simple.5.xml:108
+msgid "simple_deny_groups (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-simple.5.xml:111
+msgid ""
+"Comma separated list of groups that are explicitly denied access. This "
+"applies only to groups within this SSSD domain. Local groups are not "
+"evaluated."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-simple.5.xml:70 sssd-ipa.5.xml:62
+msgid ""
+"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> "
+"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
+"citerefentry> manual page for details on the configuration of an SSSD "
+"domain.  <placeholder type=\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-simple.5.xml:120
+msgid ""
+"Please note that it is an configuration error if both, simple_allow_users "
+"and simple_deny_users, are defined."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-simple.5.xml:128
+msgid ""
+"The following example assumes that SSSD is correctly configured and example."
+"com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
+"This examples shows only the simple access provider-specific options."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-simple.5.xml:135
+#, no-wrap
+msgid ""
+"    [domain/example.com]\n"
+"    access_provider = simple\n"
+"    simple_allow_users = user1, user2\n"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-simple.5.xml:145
+msgid ""
+"<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16
+msgid "sssd-ipa"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ipa.5.xml:23
+msgid ""
+"This manual page describes the configuration of the IPA provider for "
+"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
+"</citerefentry>.  For a detailed syntax reference, refer to the <quote>FILE "
+"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ipa.5.xml:36
+msgid ""
+"The IPA provider is a back end used to connect to an IPA server.  (Refer to "
+"the freeipa.org web site for information about IPA servers.)  This provider "
+"requires that the machine be joined to the IPA domain; configuration is "
+"almost entirely self-discovered and obtained directly from the server."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ipa.5.xml:43
+msgid ""
+"The IPA provider accepts the same options used by the <citerefentry> "
+"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+"citerefentry> identity provider and the <citerefentry> <refentrytitle>sssd-"
+"krb5</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> authentication "
+"provider.  However, it is neither necessary nor recommended to set these "
+"options.  IPA provider can also be used as an access and chpass provider. As "
+"an access provider it uses HBAC (host-based access control) rules. Please "
+"refer to freeipa.org for more information about HBAC. No configuration of "
+"access provider is required on the client side."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:69
+msgid "ipa_domain (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:72
+msgid ""
+"Specifies the name of the IPA domain.  This is optional. If not provided, "
+"the configuration domain name is used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:80
+msgid "ipa_server (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:83
+msgid ""
+"The comma-separated list of IP addresses or hostnames of the IPA servers to "
+"which SSSD should connect in the order of preference. For more information "
+"on failover and server redundancy, see the <quote>FAILOVER</quote> section.  "
+"This is optional if autodiscovery is enabled.  For more information on "
+"service discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:96
+msgid "ipa_hostname (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:99
+msgid ""
+"Optional. May be set on machines where the hostname(5) does not reflect the "
+"fully qualified name used in the IPA domain to identify this host."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:107
+msgid "ipa_dyndns_update (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:110
+msgid ""
+"Optional. This option tells SSSD to automatically update the DNS server "
+"built into FreeIPA v2 with the IP address of this client."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:121
+msgid "ipa_dyndns_iface (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:124
+msgid ""
+"Optional. Applicable only when ipa_dyndns_update is true. Choose the "
+"interface whose IP address should be used for dynamic DNS updates."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:129
+msgid "Default: Use the IP address of the IPA LDAP connection"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:135
+msgid "ipa_hbac_search_base (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:138
+msgid "Optional. Use the given string as search base for HBAC related objects."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:142
+msgid "Default: Use base DN"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:148 sssd-krb5.5.xml:229
+msgid "krb5_validate (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:151 sssd-krb5.5.xml:232
+msgid ""
+"Verify with the help of krb5_keytab that the TGT obtained has not been "
+"spoofed."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:158
+msgid ""
+"Note that this default differs from the traditional Kerberos provider back "
+"end."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:168
+msgid ""
+"The name of the Kerberos realm. This is optional and defaults to the value "
+"of <quote>ipa_domain</quote>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:172
+msgid ""
+"The name of the Kerberos realm has a special meaning in IPA - it is "
+"converted into the base DN to use for performing LDAP operations."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:179
+msgid "ipa_hbac_refresh (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:182
+msgid ""
+"The amount of time between lookups of the HBAC rules against the IPA server. "
+"This will reduce the latency and load on the IPA server if there are many "
+"access-control requests made in a short period."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:189
+msgid "Default: 5 (seconds)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:194
+msgid "ipa_hbac_treat_deny_as (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:197
+msgid ""
+"This option specifies how to treat the deprecated DENY-type HBAC rules. As "
+"of FreeIPA v2.1, DENY rules are no longer supported on the server. All users "
+"of FreeIPA will need to migrate their rules to use only the ALLOW rules. The "
+"client will support two modes of operation during this transition period:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:206
+msgid ""
+"<emphasis>DENY_ALL</emphasis>: If any HBAC DENY rules are detected, all "
+"users will be denied access."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:211
+msgid ""
+"<emphasis>IGNORE</emphasis>: SSSD will ignore any DENY rules. Be very "
+"careful with this option, as it may result in opening unintended access."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:216
+msgid "Default: DENY_ALL"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ipa.5.xml:232
+msgid ""
+"The following example assumes that SSSD is correctly configured and example."
+"com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
+"This examples shows only the ipa provider-specific options."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-ipa.5.xml:239
+#, no-wrap
+msgid ""
+"    [domain/example.com]\n"
+"    id_provider = ipa\n"
+"    ipa_server = ipaserver.example.com\n"
+"    ipa_hostname = myhost.example.com\n"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ipa.5.xml:250
+msgid ""
+"<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
+"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sssd-krb5</refentrytitle><manvolnum>5</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sssd</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd.8.xml:10 sssd.8.xml:15
+msgid "sssd"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sssd.8.xml:16
+msgid "System Security Services Daemon"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: sssd.8.xml:21
+msgid ""
+"<command>sssd</command> <arg choice='opt'> <replaceable>options</"
+"replaceable> </arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.8.xml:31
+msgid ""
+"<command>SSSD</command> provides a set of daemons to manage access to remote "
+"directories and authentication mechanisms. It provides an NSS and PAM "
+"interface toward the system and a pluggable backend system to connect to "
+"multiple different account sources as well as D-Bus interface. It is also "
+"the basis to provide client auditing and policy services for projects like "
+"FreeIPA. It provides a more robust database to store local users as well as "
+"extended user data."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:46
+msgid ""
+"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</"
+"replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:51
+msgid ""
+"Debug level to run the daemon with. 0 is the default as well as the lowest "
+"allowed value, 10 is the most verbose mode. This setting overrides the "
+"settings from config file. This parameter implies <option>-i</option>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:70
+msgid "<option>-f</option>,<option>--debug-to-files</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:74
+msgid ""
+"Send the debug output to files instead of stderr. By default, the log files "
+"are stored in <filename>/var/log/sssd</filename> and there are separate log "
+"files for every SSSD service and domain."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:82
+msgid "<option>-D</option>,<option>--daemon</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:86
+msgid "Become a daemon after starting up."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:92
+msgid "<option>-i</option>,<option>--interactive</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:96
+msgid "Run in the foreground, don't become a daemon."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:102
+msgid "<option>-c</option>,<option>--config</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:106
+msgid ""
+"Specify a non-default config file. The default is <filename>/etc/sssd/sssd."
+"conf</filename>. For reference on the config file syntax and options, "
+"consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> manual page."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd.8.xml:122
+msgid "Signals"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:125
+msgid "SIGTERM/SIGINT"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:128
+msgid ""
+"Informs the SSSD to gracefully terminate all of its child processes and then "
+"shut down the monitor."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:134
+msgid "SIGHUP"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:137
+msgid ""
+"Tells the SSSD to stop writing to its current debug file descriptors and to "
+"close and reopen them. This is meant to facilitate log rolling with programs "
+"like logrotate."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:145
+msgid "SIGUSR1"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:148
+msgid ""
+"Tells the SSSD to simulate offline operation for one minute. This is mostly "
+"useful for testing purposes."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:154
+msgid "SIGUSR2"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:157
+msgid ""
+"Tells the SSSD to go online immediately. This is mostly useful for testing "
+"purposes."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.8.xml:168
+msgid ""
+"<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupadd</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_groupdel</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_groupmod</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_userdel</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15
+msgid "sss_obfuscate"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sss_obfuscate.8.xml:16
+msgid "obfuscate a clear text password"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: sss_obfuscate.8.xml:21
+msgid ""
+"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</"
+"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</"
+"replaceable></arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_obfuscate.8.xml:32
+msgid ""
+"<command>sss_obfuscate</command> converts a given password into human-"
+"unreadable format and places it into appropriate domain section of the SSSD "
+"config file."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_obfuscate.8.xml:37
+msgid ""
+"The cleartext password is read from standard input or entered "
+"interactively.  The obfuscated password is put into "
+"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the "
+"<quote>ldap_default_authtok_type</quote> parameter is set to "
+"<quote>obfuscated_password</quote>. Refer to <citerefentry> "
+"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+"citerefentry> for more details on these parameters."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_obfuscate.8.xml:49
+msgid ""
+"Please note that obfuscating the password provides <emphasis>no real "
+"security benefit</emphasis> as it is still possible for an attacker to "
+"reverse-engineer the password back. Using better authentication mechanisms "
+"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> "
+"advised."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_obfuscate.8.xml:63
+msgid "<option>-s</option>,<option>--stdin</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_obfuscate.8.xml:67
+msgid "The password to obfuscate will be read from standard input."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_obfuscate.8.xml:74
+msgid ""
+"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</"
+"replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_obfuscate.8.xml:79
+msgid ""
+"The SSSD domain to use the password in. The default name is <quote>default</"
+"quote>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_obfuscate.8.xml:86
+msgid ""
+"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_obfuscate.8.xml:91
+msgid "Read the config file specified by the positional parameter."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_obfuscate.8.xml:95
+msgid "Default: <filename>/etc/sssd/sssd.conf</filename>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_obfuscate.8.xml:105
+msgid ""
+"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sss_useradd.8.xml:10 sss_useradd.8.xml:15
+msgid "sss_useradd"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sss_useradd.8.xml:16
+msgid "create a new user"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: sss_useradd.8.xml:21
+msgid ""
+"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</"
+"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></"
+"arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_useradd.8.xml:32
+msgid ""
+"<command>sss_useradd</command> creates a new user account using the values "
+"specified on the command line plus the default values from the system."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_useradd.8.xml:43
+msgid ""
+"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_useradd.8.xml:48
+msgid ""
+"Set the UID of the user to the value of <replaceable>UID</replaceable>.  If "
+"not given, it is chosen automatically."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_useradd.8.xml:55 sss_usermod.8.xml:43
+msgid ""
+"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</"
+"replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_useradd.8.xml:60 sss_usermod.8.xml:48
+msgid ""
+"Any text string describing the user. Often used as the field for the user's "
+"full name."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_useradd.8.xml:67 sss_usermod.8.xml:55
+msgid ""
+"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</"
+"replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_useradd.8.xml:72
+msgid ""
+"The home directory of the user account.  The default is to append the "
+"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use "
+"that as the home directory.  The base that is prepended before "
+"<replaceable>LOGIN</replaceable> is tunable with <quote>user_defaults/"
+"baseDirectory</quote> setting in sssd.conf."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_useradd.8.xml:82 sss_usermod.8.xml:66
+msgid ""
+"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_useradd.8.xml:87
+msgid ""
+"The user's login shell. The default is currently <filename>/bin/bash</"
+"filename>.  The default can be changed with <quote>user_defaults/"
+"defaultShell</quote> setting in sssd.conf."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_useradd.8.xml:96
+msgid ""
+"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</"
+"replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_useradd.8.xml:101
+msgid "A list of existing groups this user is also a member of."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_useradd.8.xml:107
+msgid "<option>-m</option>,<option>--create-home</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_useradd.8.xml:111
+msgid ""
+"Create the user's home directory if it does not exist. The files and "
+"directories contained in the skeleton directory (which can be defined with "
+"the -k option or in the config file) will be copied to the home directory."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_useradd.8.xml:121
+msgid "<option>-M</option>,<option>--no-create-home</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_useradd.8.xml:125
+msgid ""
+"Do not create the user's home directory. Overrides configuration settings."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_useradd.8.xml:132
+msgid ""
+"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</"
+"replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_useradd.8.xml:137
+msgid ""
+"The skeleton directory, which contains files and directories to be copied in "
+"the user's home directory, when the home directory is created by "
+"<command>sss_useradd</command>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_useradd.8.xml:143
+msgid ""
+"This option is only valid if the <option>-m</option> (or <option>--create-"
+"home</option>) option is specified, or creation of home directories is set "
+"to TRUE in the configuration."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_useradd.8.xml:152 sss_usermod.8.xml:124
+msgid ""
+"<option>-Z</option>,<option>--selinux-user</option> "
+"<replaceable>SELINUX_USER</replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_useradd.8.xml:157
+msgid ""
+"The SELinux user for the user's login. If not specified, the system default "
+"will be used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_useradd.8.xml:169
+msgid ""
+"<citerefentry> <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupdel</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_groupmod</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_usermod</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16
+msgid "sssd-krb5"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-krb5.5.xml:23
+msgid ""
+"This manual page describes the configuration of the Kerberos 5 "
+"authentication backend for <citerefentry> <refentrytitle>sssd</"
+"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>.  For a detailed "
+"syntax reference, please refer to the <quote>FILE FORMAT</quote> section of "
+"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> manual page"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-krb5.5.xml:36
+msgid ""
+"The Kerberos 5 authentication backend contains auth and chpass providers. It "
+"must be paired with identity provider in order to function properly (for "
+"example, id_provider = ldap). Some information required by the Kerberos 5 "
+"authentication backend must be provided by the identity provider, such as "
+"the user's Kerberos Principal Name (UPN). The configuration of the identity "
+"provider should have an entry to specify the UPN. Please refer to the man "
+"page for the applicable identity provider for details on how to configure "
+"this."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-krb5.5.xml:47
+msgid ""
+"This backend also provides access control based on the .k5login file in the "
+"home directory of the user. See <citerefentry> <refentrytitle>.k5login</"
+"refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. "
+"Please note that an empty .k5login file will deny all access to this user. "
+"To activate this feature use 'access_provider = krb5' in your sssd "
+"configuration."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-krb5.5.xml:55
+msgid ""
+"In the case where the UPN is not available in the identity backend "
+"<command>sssd</command> will construct a UPN using the format "
+"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:106
+msgid ""
+"The name of the Kerberos realm. This option is required and must be "
+"specified."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:113
+msgid "krb5_kpasswd (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:116
+msgid ""
+"If the change password service is not running on the KDC alternative servers "
+"can be defined here. An optional port number (preceded by a colon) may be "
+"appended to the addresses or hostnames."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:122
+msgid ""
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section.  Please note that even if there are no more "
+"kpasswd servers to try the back end is not switch to offline if "
+"authentication against the KDC is still possible."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:129
+msgid "Default: Use the KDC"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:135
+msgid "krb5_ccachedir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:138
+msgid ""
+"Directory to store credential caches. All the substitution sequences of "
+"krb5_ccname_template can be used here, too, except %d and %P. If the "
+"directory does not exist it will be created. If %u, %U, %p or %h are used a "
+"private directory belonging to the user is created. Otherwise a public "
+"directory with restricted deletion flag (aka sticky bit, see <citerefentry> "
+"<refentrytitle>chmod</refentrytitle> <manvolnum>1</manvolnum> </"
+"citerefentry> for details) is created."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:151
+msgid "Default: /tmp"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:157
+msgid "krb5_ccname_template (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:171
+msgid "login UID"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:174
+msgid "%p"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:175
+msgid "principal name"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:179
+msgid "%r"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:180
+msgid "realm name"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:183
+msgid "%h"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:184
+msgid "home directory"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:189
+msgid "value of krb5ccache_dir"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:194
+msgid "%P"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:195
+msgid "the process ID of the sssd client"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:160
+msgid ""
+"Location of the user's credential cache. Currently only file based "
+"credential caches are supported. In the template the following sequences are "
+"substituted: <placeholder type=\"variablelist\" id=\"0\"/> If the template "
+"ends with 'XXXXXX' mkstemp(3) is used to create a unique filename in a safe "
+"way."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:209
+msgid "Default: FILE:%d/krb5cc_%U_XXXXXX"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:215
+msgid "krb5_auth_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:218
+msgid ""
+"Timeout in seconds after an online authentication or change password request "
+"is aborted. If possible the authentication request is continued offline."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:241
+msgid "krb5_keytab (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:244
+msgid ""
+"The location of the keytab to use when validating credentials obtained from "
+"KDCs."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:248
+msgid "Default: /etc/krb5.keytab"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:254
+msgid "krb5_store_password_if_offline (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:257
+msgid ""
+"Store the password of the user if the provider is offline and use it to "
+"request a TGT when the provider gets online again."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:262
+msgid ""
+"Please note that this feature currently only available on a Linux platform. "
+"Passwords stored in this way are kept in plaintext in the kernel keyring and "
+"are potentially accessible by the root user (with difficulty)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:275
+msgid "krb5_renewable_lifetime (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:278
+msgid ""
+"Request a renewable ticket with a total lifetime given by an integer "
+"immediately followed by one of the following delimiters:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
+msgid "<emphasis>s</emphasis> seconds"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
+msgid "<emphasis>m</emphasis> minutes"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
+msgid "<emphasis>h</emphasis> hours"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
+msgid "<emphasis>d</emphasis> days."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:295 sssd-krb5.5.xml:331
+msgid "If there is no delimiter <emphasis>s</emphasis> is assumed."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:299
+msgid ""
+"Please note that it is not possible to mix units.  If you want to set the "
+"renewable lifetime to one and a half hours please use '90m' instead of "
+"'1h30m'."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:305
+msgid "Default: not set, i.e. the TGT is not renewable"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:311
+msgid "krb5_lifetime (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:314
+msgid ""
+"Request ticket with a with a lifetime given by an integer immediately "
+"followed by one of the following delimiters:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:335
+msgid ""
+"Please note that it is not possible to mix units.  If you want to set the "
+"lifetime to one and a half hours please use '90m' instead of '1h30m'."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:340
+msgid ""
+"Default: not set, i.e. the default ticket lifetime configured on the KDC."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:347
+msgid "krb5_renew_interval (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:350
+msgid ""
+"The time in seconds between two checks if the TGT should be renewed. TGTs "
+"are renewed if about half of their lifetime is exceeded."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:355
+msgid "If this option is not set or 0 the automatic renewal is disabled."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:365
+msgid "krb5_use_fast (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:368
+msgid ""
+"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
+"authentication. The following options are supported:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:373
+msgid ""
+"<emphasis>never</emphasis> use FAST, this is equivalent to not set this "
+"option at all."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:377
+msgid ""
+"<emphasis>try</emphasis> to use FAST, if the server does not support fast "
+"continue without."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:381
+msgid ""
+"<emphasis>demand</emphasis> to use FAST, fail if the server does not require "
+"fast."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:385
+msgid "Default: not set, i.e. FAST is not used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:388
+msgid "Please note that a keytab is required to use fast."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:391
+msgid ""
+"Please note also that sssd supports fast only with MIT Kerberos version 1.8 "
+"and above. If sssd used used with an older version using this option is a "
+"configuration error."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-krb5.5.xml:65
+msgid ""
+"If the auth-module krb5 is used in a SSSD domain, the following options must "
+"be used. See the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> manual page, section <quote>DOMAIN "
+"SECTIONS</quote> for details on the configuration of a SSSD domain.  "
+"<placeholder type=\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-krb5.5.xml:410
+msgid ""
+"The following example assumes that SSSD is correctly configured and FOO is "
+"one of the domains in the <replaceable>[sssd]</replaceable> section. This "
+"example shows only configuration of Kerberos authentication, it does not "
+"include any identity provider."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-krb5.5.xml:418
+#, no-wrap
+msgid ""
+"    [domain/FOO]\n"
+"    auth_provider = krb5\n"
+"    krb5_server = 192.168.1.1\n"
+"    krb5_realm = EXAMPLE.COM\n"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-krb5.5.xml:429
+msgid ""
+"<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
+"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </citerefentry>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15
+msgid "sss_groupadd"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sss_groupadd.8.xml:16
+msgid "create a new group"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: sss_groupadd.8.xml:21
+msgid ""
+"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</"
+"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></"
+"arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_groupadd.8.xml:32
+msgid ""
+"<command>sss_groupadd</command> creates a new group. These groups are "
+"compatible with POSIX groups, with the additional feature that they can "
+"contain other groups as members."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_groupadd.8.xml:43
+msgid ""
+"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_groupadd.8.xml:48
+msgid ""
+"Set the GID of the group to the value of <replaceable>GID</replaceable>.  If "
+"not given, it is chosen automatically."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_groupadd.8.xml:60
+msgid ""
+"<citerefentry> <refentrytitle>sss_groupdel</refentrytitle><manvolnum>8</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupmod</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_useradd</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_usermod</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sss_userdel.8.xml:10 sss_userdel.8.xml:15
+msgid "sss_userdel"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sss_userdel.8.xml:16
+msgid "delete a user account"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: sss_userdel.8.xml:21
+msgid ""
+"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</"
+"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></"
+"arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_userdel.8.xml:32
+msgid ""
+"<command>sss_userdel</command> deletes a user identified by login name "
+"<replaceable>LOGIN</replaceable> from the system."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_userdel.8.xml:44
+msgid "<option>-r</option>,<option>--remove</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_userdel.8.xml:48
+msgid ""
+"Files in the user's home directory will be removed along with the home "
+"directory itself and the user's mail spool. Overrides the configuration."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_userdel.8.xml:56
+msgid "<option>-R</option>,<option>--no-remove</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_userdel.8.xml:60
+msgid ""
+"Files in the user's home directory will NOT be removed along with the home "
+"directory itself and the user's mail spool. Overrides the configuration."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_userdel.8.xml:68
+msgid "<option>-f</option>,<option>--force</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_userdel.8.xml:72
+msgid ""
+"This option forces <command>sss_userdel</command> to remove the user's home "
+"directory and mail spool, even if they are not owned by the specified user."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_userdel.8.xml:80
+msgid "<option>-k</option>,<option>--kick</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_userdel.8.xml:84
+msgid "Before actually deleting the user, terminate all his processes."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_userdel.8.xml:95
+msgid ""
+"<citerefentry> <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupdel</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_groupmod</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_groupshow</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_usermod</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15
+msgid "sss_groupdel"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sss_groupdel.8.xml:16
+msgid "delete a group"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: sss_groupdel.8.xml:21
+msgid ""
+"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</"
+"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></"
+"arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_groupdel.8.xml:32
+msgid ""
+"<command>sss_groupdel</command> deletes a group identified by its name "
+"<replaceable>GROUP</replaceable> from the system."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_groupdel.8.xml:48
+msgid ""
+"<citerefentry> <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupmod</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_useradd</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_usermod</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15
+msgid "sss_groupshow"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sss_groupshow.8.xml:16
+msgid "print properties of a group"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: sss_groupshow.8.xml:21
+msgid ""
+"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</"
+"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></"
+"arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_groupshow.8.xml:32
+msgid ""
+"<command>sss_groupshow</command> displays information about a group "
+"identified by its name <replaceable>GROUP</replaceable>. The information "
+"includes the group ID number, members of the group and the parent group."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_groupshow.8.xml:43
+msgid "<option>-R</option>,<option>--recursive</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_groupshow.8.xml:47
+msgid ""
+"Also print indirect group members in a tree-like hierarchy.  Note that this "
+"also affects printing parent groups - without <option>R</option>, only the "
+"direct parent will be printed."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_groupshow.8.xml:60
+msgid ""
+"<citerefentry> <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupmod</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_userdel</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sss_usermod.8.xml:10 sss_usermod.8.xml:15
+msgid "sss_usermod"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sss_usermod.8.xml:16
+msgid "modify a user account"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: sss_usermod.8.xml:21
+msgid ""
+"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</"
+"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></"
+"arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_usermod.8.xml:32
+msgid ""
+"<command>sss_usermod</command> modifies the account specified by "
+"<replaceable>LOGIN</replaceable> to reflect the changes that are specified "
+"on the command line."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_usermod.8.xml:60
+msgid "The home directory of the user account."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_usermod.8.xml:71
+msgid "The user's login shell."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_usermod.8.xml:82
+msgid ""
+"Append this user to groups specified by the <replaceable>GROUPS</"
+"replaceable> parameter.  The <replaceable>GROUPS</replaceable> parameter is "
+"a comma separated list of group names."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_usermod.8.xml:96
+msgid ""
+"Remove this user from groups specified by the <replaceable>GROUPS</"
+"replaceable> parameter."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_usermod.8.xml:103
+msgid "<option>-l</option>,<option>--lock</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_usermod.8.xml:107
+msgid "Lock the user account. The user won't be able to log in."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_usermod.8.xml:114
+msgid "<option>-u</option>,<option>--unlock</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_usermod.8.xml:118
+msgid "Unlock the user account."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_usermod.8.xml:129
+msgid "The SELinux user for the user's login."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_usermod.8.xml:140
+msgid ""
+"<citerefentry> <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupdel</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_groupmod</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_groupshow</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_userdel</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>."
+msgstr ""
+
+#. type: Content of: <refsect1><title>
+#: include/service_discovery.xml:2
+msgid "SERVICE DISCOVERY"
+msgstr ""
+
+#. type: Content of: <refsect1><para>
+#: include/service_discovery.xml:4
+msgid ""
+"The service discovery feature allows back ends to automatically find the "
+"appropriate servers to connect to using a special DNS query."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/service_discovery.xml:9
+msgid "Configuration"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/service_discovery.xml:11
+msgid ""
+"If no servers are specified, the back end automatically uses service "
+"discovery to try to find a server. Optionally, the user may choose to use "
+"both fixed server addresses and service discovery by inserting a special "
+"keyword, <quote>_srv_</quote>, in the list of servers. The order of "
+"preference is maintained. This feature is useful if, for example, the user "
+"prefers to use service discovery whenever possible, and fall back to a "
+"specific server when no servers can be discovered using DNS."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/service_discovery.xml:23
+msgid "The domain name"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/service_discovery.xml:25
+msgid ""
+"Please refer to the <quote>dns_discovery_domain</quote> parameter in the "
+"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> manual page for more details."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/service_discovery.xml:35
+msgid "The protocol"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/service_discovery.xml:37
+msgid ""
+"The queries usually specify _tcp as the protocol. Exceptions are documented "
+"in respective option description."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/service_discovery.xml:42
+msgid "See Also"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/service_discovery.xml:44
+msgid ""
+"For more information on the service discovery mechanism, refer to RFC 2782."
+msgstr ""
+
+#. type: Content of: outside any tag (error?)
+#: include/upstream.xml:1
+msgid "<placeholder type=\"refentryinfo\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <refsect1><title>
+#: include/failover.xml:2
+msgid "FAILOVER"
+msgstr ""
+
+#. type: Content of: <refsect1><para>
+#: include/failover.xml:4
+msgid ""
+"The failover feature allows back ends to automatically switch to a different "
+"server if the primary server fails."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/failover.xml:8
+msgid "Failover Syntax"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/failover.xml:10
+msgid ""
+"The list of servers is given as a comma-separated list; any number of spaces "
+"is allowed around the comma. The servers are listed in order of preference. "
+"The list can contain any number of servers."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/failover.xml:17
+msgid "The Failover Mechanism"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/failover.xml:19
+msgid ""
+"The failover mechanism distinguishes between a machine and a service. The "
+"back end first tries to resolve the hostname of a given machine; if this "
+"resolution attempt fails, the machine is considered offline. No further "
+"attempts are made to connect to this machine for any other service. If the "
+"resolution attempt succeeds, the back end tries to connect to a service on "
+"this machine. If the service connection attempt fails, then only this "
+"particular service is considered offline and the back end automatically "
+"switches over to the next service.  The machine is still considered online "
+"and might still be tried for another service."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/failover.xml:32
+msgid ""
+"Further connection attempts are made to machines or services marked as "
+"offline after a specified period of time; this is currently hard coded to 30 "
+"seconds."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/failover.xml:37
+msgid ""
+"If there are no more machines to try, the back end as a whole switches to "
+"offline mode, and then attempts to reconnect every 30 seconds."
+msgstr ""
+
+#. type: Content of: <varlistentry><term>
+#: include/param_help.xml:3
+msgid "<option>-h</option>,<option>--help</option>"
+msgstr ""
+
+#. type: Content of: <varlistentry><listitem><para>
+#: include/param_help.xml:7
+msgid "Display help message and exit."
+msgstr ""
diff --git a/src/man/po/lt_LT.po b/src/man/po/lt_LT.po
index dc9f71c5..168b6c0d 100644
--- a/src/man/po/lt_LT.po
+++ b/src/man/po/lt_LT.po
@@ -2,15 +2,15 @@
 # Copyright (C) YEAR Red Hat
 # This file is distributed under the same license as the sssd-docs package.
 #
+# Translators:
 msgid ""
 msgstr ""
 "Project-Id-Version: SSSD\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2011-08-29 10:42-0300\n"
-"PO-Revision-Date: 2011-08-05 11:38+0000\n"
+"POT-Creation-Date: 2011-10-18 13:34-0300\n"
+"PO-Revision-Date: 2010-12-23 15:35+0000\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
-"Language-Team: Lithuanian (Lithuania) (http://www.transifex.net/projects/p/"
-"fedora/team/lt_LT/)\n"
+"Language-Team: LANGUAGE <LL@li.org>\n"
 "Language: lt_LT\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
@@ -54,7 +54,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:41
+#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:44
 #: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21
 #: sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_useradd.8.xml:30
 #: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30
@@ -70,7 +70,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:39 pam_sss.8.xml:48 sssd.8.xml:42 sss_obfuscate.8.xml:58
+#: sss_groupmod.8.xml:39 pam_sss.8.xml:51 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
 msgid "OPTIONS"
@@ -106,10 +106,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1106 sssd-ldap.5.xml:1432
-#: pam_sss.8.xml:128 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
+#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1130 sssd-ldap.5.xml:1432
+#: pam_sss.8.xml:139 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
 #: sssd-ipa.5.xml:248 sssd.8.xml:166 sss_obfuscate.8.xml:103
-#: sss_useradd.8.xml:167 sssd-krb5.5.xml:424 sss_groupadd.8.xml:58
+#: sss_useradd.8.xml:167 sssd-krb5.5.xml:427 sss_groupadd.8.xml:58
 #: sss_userdel.8.xml:93 sss_groupdel.8.xml:46 sss_groupshow.8.xml:58
 #: sss_usermod.8.xml:138
 msgid "SEE ALSO"
@@ -215,7 +215,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:70 sssd.conf.5.xml:952
+#: sssd.conf.5.xml:70 sssd.conf.5.xml:976
 msgid "Section parameters"
 msgstr ""
 
@@ -248,19 +248,19 @@ msgid "Supported services: nss, pam"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:93 sssd.conf.5.xml:234
+#: sssd.conf.5.xml:93 sssd.conf.5.xml:254
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:96 sssd.conf.5.xml:237
+#: sssd.conf.5.xml:96 sssd.conf.5.xml:257
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:101 sssd.conf.5.xml:242
+#: sssd.conf.5.xml:101 sssd.conf.5.xml:262
 msgid "Default: 3"
 msgstr ""
 
@@ -367,6 +367,32 @@ msgid ""
 "unavailable. On these platforms, polling will always be used."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:189
+msgid "krb5_rcache_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:192
+msgid ""
+"Directory on the filesystem where SSSD should store Kerberos replay cache "
+"files."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:196
+msgid ""
+"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
+"SSSD to let libkrb5 decide the appropriate location for the replay cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:202
+msgid ""
+"Default: Distribution-specific and specified at build-time. "
+"(__LIBKRB5_DEFAULTS__ if not configured)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:63
 msgid ""
@@ -379,12 +405,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:195
+#: sssd.conf.5.xml:215
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:197
+#: sssd.conf.5.xml:217
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -393,55 +419,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:204
+#: sssd.conf.5.xml:224
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:206
+#: sssd.conf.5.xml:226
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:210
+#: sssd.conf.5.xml:230
 msgid "debug_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:213
+#: sssd.conf.5.xml:233
 msgid ""
 "Sets the debug level for the service. The value can be in range from 0 (only "
 "critical messages) to 10 (very verbose)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:218 sssd.conf.5.xml:312
+#: sssd.conf.5.xml:238 sssd.conf.5.xml:332
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:223 sssd.8.xml:58
+#: sssd.conf.5.xml:243 sssd.8.xml:58
 msgid "debug_timestamps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:226 sssd.8.xml:61
+#: sssd.conf.5.xml:246 sssd.8.xml:61
 msgid "Add a timestamp to the debug messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:229 sssd.conf.5.xml:353 sssd-ldap.5.xml:1058
+#: sssd.conf.5.xml:249 sssd.conf.5.xml:373 sssd-ldap.5.xml:1058
 #: sssd-ldap.5.xml:1163 sssd-ipa.5.xml:155
 msgid "Default: true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:247
+#: sssd.conf.5.xml:267
 msgid "command (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:250
+#: sssd.conf.5.xml:270
 msgid ""
 "By default, the executable representing this service is called <command>sssd_"
 "${service_name}</command>.  This directive allows to change the executable "
@@ -450,45 +476,45 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:258
+#: sssd.conf.5.xml:278
 msgid "Default: <command>sssd_${service_name}</command>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:266
+#: sssd.conf.5.xml:286
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:268
+#: sssd.conf.5.xml:288
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:273
+#: sssd.conf.5.xml:293
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:276
+#: sssd.conf.5.xml:296
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:280
+#: sssd.conf.5.xml:300
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:285
+#: sssd.conf.5.xml:305
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:288
+#: sssd.conf.5.xml:308
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -496,7 +522,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:294
+#: sssd.conf.5.xml:314
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -506,7 +532,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304
+#: sssd.conf.5.xml:324
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -515,12 +541,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:317
+#: sssd.conf.5.xml:337
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:320
+#: sssd.conf.5.xml:340
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -528,17 +554,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:326 sssd-krb5.5.xml:223
+#: sssd.conf.5.xml:346 sssd-krb5.5.xml:223
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:331
+#: sssd.conf.5.xml:351
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:334
+#: sssd.conf.5.xml:354
 msgid ""
 "Exclude certain users from being fetched from the sss NSS database. This is "
 "particularly useful for system accounts. This option can also be set per-"
@@ -547,78 +573,78 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:341
+#: sssd.conf.5.xml:361
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:346
+#: sssd.conf.5.xml:366
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:369
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:358
+#: sssd.conf.5.xml:378
 msgid "override_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:367 sssd-krb5.5.xml:166
+#: sssd.conf.5.xml:387 sssd-krb5.5.xml:166
 msgid "%u"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:368 sssd-krb5.5.xml:167
+#: sssd.conf.5.xml:388 sssd-krb5.5.xml:167
 msgid "login name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:371 sssd-krb5.5.xml:170
+#: sssd.conf.5.xml:391 sssd-krb5.5.xml:170
 msgid "%U"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:392
 msgid "UID number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:375 sssd-krb5.5.xml:188
+#: sssd.conf.5.xml:395 sssd-krb5.5.xml:188
 msgid "%d"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:376
+#: sssd.conf.5.xml:396
 msgid "domain name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:379
+#: sssd.conf.5.xml:399
 msgid "%f"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:380
+#: sssd.conf.5.xml:400
 msgid "fully qualified user name (user@domain)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:383 sssd-krb5.5.xml:200
+#: sssd.conf.5.xml:403 sssd-krb5.5.xml:200
 msgid "%%"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:384 sssd-krb5.5.xml:201
+#: sssd.conf.5.xml:404 sssd-krb5.5.xml:201
 msgid "a literal '%'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:361
+#: sssd.conf.5.xml:381
 msgid ""
 "Override the user's home directory. You can either provide an absolute value "
 "or a template. In the template, the following sequences are substituted: "
@@ -626,138 +652,138 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:390
+#: sssd.conf.5.xml:410
 msgid "This option can also be set per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:395
+#: sssd.conf.5.xml:415
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:398
+#: sssd.conf.5.xml:418
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:401
+#: sssd.conf.5.xml:421
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:405
+#: sssd.conf.5.xml:425
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:410
+#: sssd.conf.5.xml:430
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:415
+#: sssd.conf.5.xml:435
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:418
+#: sssd.conf.5.xml:438
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:422
+#: sssd.conf.5.xml:442
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:427
+#: sssd.conf.5.xml:447
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:430
+#: sssd.conf.5.xml:450
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:435
+#: sssd.conf.5.xml:455
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:438
+#: sssd.conf.5.xml:458
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:442
+#: sssd.conf.5.xml:462
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:469
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:451
+#: sssd.conf.5.xml:471
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:456
+#: sssd.conf.5.xml:476
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:459
+#: sssd.conf.5.xml:479
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:464 sssd.conf.5.xml:477
+#: sssd.conf.5.xml:484 sssd.conf.5.xml:497
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:490
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:473
+#: sssd.conf.5.xml:493
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:483
+#: sssd.conf.5.xml:503
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:506
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:491
+#: sssd.conf.5.xml:511
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -765,59 +791,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:497 sssd.conf.5.xml:550 sssd.conf.5.xml:882
+#: sssd.conf.5.xml:517 sssd.conf.5.xml:570 sssd.conf.5.xml:906
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:523
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:506
+#: sssd.conf.5.xml:526
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:511
+#: sssd.conf.5.xml:531
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:514
+#: sssd.conf.5.xml:534
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:517
+#: sssd.conf.5.xml:537
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:541
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:524
+#: sssd.conf.5.xml:544
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:528
+#: sssd.conf.5.xml:548
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:533
+#: sssd.conf.5.xml:553
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:536
+#: sssd.conf.5.xml:556
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -825,7 +851,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:542
+#: sssd.conf.5.xml:562
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -834,17 +860,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:556
+#: sssd.conf.5.xml:576
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:559
+#: sssd.conf.5.xml:579
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:562
+#: sssd.conf.5.xml:582
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -852,29 +878,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:588
 msgid "Default: 7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:577
+#: sssd.conf.5.xml:597
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:584
+#: sssd.conf.5.xml:604
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:587
+#: sssd.conf.5.xml:607
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:592
+#: sssd.conf.5.xml:612
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -883,56 +909,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:599
+#: sssd.conf.5.xml:619
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:625
 msgid "timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:608
+#: sssd.conf.5.xml:628
 msgid ""
 "Timeout in seconds between heartbeats for this domain.  This is used to "
 "ensure that the backend process is alive and capable of answering requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:633
 msgid "Default: 10"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:639
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:642
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:626
+#: sssd.conf.5.xml:646
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:629
+#: sssd.conf.5.xml:649
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:632 sssd.conf.5.xml:680 sssd.conf.5.xml:734
+#: sssd.conf.5.xml:652 sssd.conf.5.xml:704 sssd.conf.5.xml:758
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:635
+#: sssd.conf.5.xml:655
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -942,14 +968,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:645
+#: sssd.conf.5.xml:665
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:650
+#: sssd.conf.5.xml:670
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -958,39 +984,44 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:661
+#: sssd.conf.5.xml:681
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:664
+#: sssd.conf.5.xml:684
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:688
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:693
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676
+#: sssd.conf.5.xml:696
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:700
+msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:685
+#: sssd.conf.5.xml:709
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:688
+#: sssd.conf.5.xml:712
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -999,47 +1030,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:695
+#: sssd.conf.5.xml:719
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:725
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:728
 msgid "The Data Provider identity backend to use for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:708
+#: sssd.conf.5.xml:732
 msgid "Supported backends:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:711
+#: sssd.conf.5.xml:735
 msgid "proxy: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:714
+#: sssd.conf.5.xml:738
 msgid "local: SSSD internal local provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:717
+#: sssd.conf.5.xml:741
 msgid "ldap: LDAP provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:747
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:750
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -1048,19 +1079,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:739
+#: sssd.conf.5.xml:763
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:766
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:746
+#: sssd.conf.5.xml:770
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1068,7 +1099,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:777
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1076,30 +1107,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:784
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:787
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:766
+#: sssd.conf.5.xml:790
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:796
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:775
+#: sssd.conf.5.xml:799
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -1107,17 +1138,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:781
+#: sssd.conf.5.xml:805
 msgid "<quote>permit</quote> always allow access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:784
+#: sssd.conf.5.xml:808
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:811
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -1126,24 +1157,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:818
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:823
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:826
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:831
 msgid ""
 "<quote>ipa</quote> to change a password stored in an IPA server.  See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -1151,7 +1182,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:815
+#: sssd.conf.5.xml:839
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -1159,7 +1190,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:823
+#: sssd.conf.5.xml:847
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1167,72 +1198,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:831
+#: sssd.conf.5.xml:855
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:835
+#: sssd.conf.5.xml:859
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838
+#: sssd.conf.5.xml:862
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:845
+#: sssd.conf.5.xml:869
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:848
+#: sssd.conf.5.xml:872
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:876
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:855
+#: sssd.conf.5.xml:879
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:858
+#: sssd.conf.5.xml:882
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:861
+#: sssd.conf.5.xml:885
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:864
+#: sssd.conf.5.xml:888
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:867
+#: sssd.conf.5.xml:891
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:873
+#: sssd.conf.5.xml:897
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:876
+#: sssd.conf.5.xml:900
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -1240,34 +1271,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:912
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:891
+#: sssd.conf.5.xml:915
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:919
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:901
+#: sssd.conf.5.xml:925
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:904
+#: sssd.conf.5.xml:928
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:579
+#: sssd.conf.5.xml:599
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -1275,29 +1306,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:940
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:943
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:922
+#: sssd.conf.5.xml:946
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:954
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:933
+#: sssd.conf.5.xml:957
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -1305,19 +1336,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:912
+#: sssd.conf.5.xml:936
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:945
+#: sssd.conf.5.xml:969
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:971
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -1325,73 +1356,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:954
+#: sssd.conf.5.xml:978
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:981
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:985
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:966
+#: sssd.conf.5.xml:990
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:969
+#: sssd.conf.5.xml:993
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974
+#: sssd.conf.5.xml:998
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1003
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1006
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986 sssd.conf.5.xml:998
+#: sssd.conf.5.xml:1010 sssd.conf.5.xml:1022
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:991
+#: sssd.conf.5.xml:1015
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:994
+#: sssd.conf.5.xml:1018
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1003
+#: sssd.conf.5.xml:1027
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1030
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -1399,17 +1430,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014
+#: sssd.conf.5.xml:1038
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1043
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1022
+#: sssd.conf.5.xml:1046
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -1418,17 +1449,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:1056
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1037
+#: sssd.conf.5.xml:1061
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1040
+#: sssd.conf.5.xml:1064
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -1436,17 +1467,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1047
+#: sssd.conf.5.xml:1071
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1076
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1055
+#: sssd.conf.5.xml:1079
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -1454,18 +1485,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1061
+#: sssd.conf.5.xml:1085
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1071 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
-#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:405
+#: sssd.conf.5.xml:1095 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
+#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:408
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:1077
+#: sssd.conf.5.xml:1101
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -1495,7 +1526,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1073
+#: sssd.conf.5.xml:1097
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -1504,7 +1535,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1108
+#: sssd.conf.5.xml:1132
 msgid ""
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
@@ -1604,10 +1635,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:88
 msgid ""
-"Specifies the list of URIs of the LDAP servers to which SSSD should connect "
-"in the order of preference to change the password of a user. Refer to the "
-"<quote>FAILOVER</quote> section for more information on failover and server "
-"redundancy."
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference to change the password of a user. "
+"Refer to the <quote>FAILOVER</quote> section for more information on "
+"failover and server redundancy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -2087,7 +2118,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:519 sssd-ldap.5.xml:990 sssd-ipa.5.xml:115 sssd.8.xml:64
-#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:266
+#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:269
 msgid "Default: false"
 msgstr ""
 
@@ -2528,7 +2559,7 @@ msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:356
+#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:359
 msgid "Default: not set"
 msgstr ""
 
@@ -2669,12 +2700,13 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:1080 sssd-krb5.5.xml:77
 msgid ""
-"Specifies the list of IP addresses or hostnames of the Kerberos servers to "
-"which SSSD should connect in the order of preference. For more information "
-"on failover and server redundancy, see the <quote>FAILOVER</quote> section. "
-"An optional port number (preceded by a colon) may be appended to the "
-"addresses or hostnames.  If empty, service discovery is enabled - for more "
-"information, refer to the <quote>SERVICE DISCOVERY</quote> section."
+"Specifies the comma-separated list of IP addresses or hostnames of the "
+"Kerberos servers to which SSSD should connect in the order of preference. "
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
+"colon) may be appended to the addresses or hostnames.  If empty, service "
+"discovery is enabled - for more information, refer to the <quote>SERVICE "
+"DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -3059,7 +3091,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ldap.5.xml:1407 sssd-simple.5.xml:134 sssd-ipa.5.xml:238
-#: sssd-krb5.5.xml:414
+#: sssd-krb5.5.xml:417
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -3106,7 +3138,8 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
 #: pam_sss.8.xml:24
 msgid ""
-"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>forward_pass</"
+"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
@@ -3114,7 +3147,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:42
+#: pam_sss.8.xml:45
 msgid ""
 "<command>pam_sss.so</command> is the PAM interface to the System Security "
 "Services daemon (SSSD). Errors and results are logged through <command>syslog"
@@ -3122,24 +3155,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:52
+#: pam_sss.8.xml:55
+msgid "<option>quiet</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:58
+msgid "Suppress log messages for unknown users."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:63
 msgid "<option>forward_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:55
+#: pam_sss.8.xml:66
 msgid ""
 "If <option>forward_pass</option> is set the entered password is put on the "
 "stack for other PAM modules to use."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:62
+#: pam_sss.8.xml:73
 msgid "<option>use_first_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:65
+#: pam_sss.8.xml:76
 msgid ""
 "The argument use_first_pass forces the module to use a previous stacked "
 "modules password and will never prompt the user - if no password is "
@@ -3147,31 +3190,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:73
+#: pam_sss.8.xml:84
 msgid "<option>use_authtok</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:76
+#: pam_sss.8.xml:87
 msgid ""
 "When password changing enforce the module to set the new password to the one "
 "provided by a previously stacked password module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:83
+#: pam_sss.8.xml:94
 msgid "<option>retry=N</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:86
+#: pam_sss.8.xml:97
 msgid ""
 "If specified the user is asked another N times for a password if "
 "authentication fails. Default is 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:88
+#: pam_sss.8.xml:99
 msgid ""
 "Please note that this option might not work as expected if the application "
 "calling PAM handles the user dialog on its own. A typical example is "
@@ -3179,24 +3222,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:99
+#: pam_sss.8.xml:110
 msgid "MODULE TYPES PROVIDED"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:100
+#: pam_sss.8.xml:111
 msgid ""
 "All module types (<option>account</option>, <option>auth</option>, "
 "<option>password</option> and <option>session</option>) are provided."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:106
+#: pam_sss.8.xml:117
 msgid "FILES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:107
+#: pam_sss.8.xml:118
 msgid ""
 "If a password reset by root fails, because the corresponding SSSD provider "
 "does not support password resets, an individual message can be displayed. "
@@ -3204,7 +3247,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:112
+#: pam_sss.8.xml:123
 msgid ""
 "The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
 "filename> where LOC stands for a locale string returned by <citerefentry> "
@@ -3216,7 +3259,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:122
+#: pam_sss.8.xml:133
 msgid ""
 "These files are searched in the directory <filename>/etc/sssd/customize/"
 "DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
@@ -3224,7 +3267,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:130
+#: pam_sss.8.xml:141
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>8</"
 "manvolnum> </citerefentry>"
@@ -3484,11 +3527,11 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ipa.5.xml:83
 msgid ""
-"The list of IP addresses or hostnames of the IPA servers to which SSSD "
-"should connect in the order of preference. For more information on failover "
-"and server redundancy, see the <quote>FAILOVER</quote> section.  This is "
-"optional if autodiscovery is enabled.  For more information on service "
-"discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
+"The comma-separated list of IP addresses or hostnames of the IPA servers to "
+"which SSSD should connect in the order of preference. For more information "
+"on failover and server redundancy, see the <quote>FAILOVER</quote> section.  "
+"This is optional if autodiscovery is enabled.  For more information on "
+"service discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
@@ -4304,48 +4347,50 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:262
 msgid ""
-"Please note that this feature currently only available on a Linux platform."
+"Please note that this feature currently only available on a Linux platform. "
+"Passwords stored in this way are kept in plaintext in the kernel keyring and "
+"are potentially accessible by the root user (with difficulty)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:272
+#: sssd-krb5.5.xml:275
 msgid "krb5_renewable_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:275
+#: sssd-krb5.5.xml:278
 msgid ""
 "Request a renewable ticket with a total lifetime given by an integer "
 "immediately followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:280 sssd-krb5.5.xml:316
+#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
 msgid "<emphasis>s</emphasis> seconds"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
+#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
 msgid "<emphasis>m</emphasis> minutes"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
+#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
 msgid "<emphasis>h</emphasis> hours"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
+#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
 msgid "<emphasis>d</emphasis> days."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
+#: sssd-krb5.5.xml:295 sssd-krb5.5.xml:331
 msgid "If there is no delimiter <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:296
+#: sssd-krb5.5.xml:299
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "renewable lifetime to one and a half hours please use '90m' instead of "
@@ -4353,97 +4398,97 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:302
+#: sssd-krb5.5.xml:305
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:308
+#: sssd-krb5.5.xml:311
 msgid "krb5_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:311
+#: sssd-krb5.5.xml:314
 msgid ""
 "Request ticket with a with a lifetime given by an integer immediately "
 "followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:332
+#: sssd-krb5.5.xml:335
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "lifetime to one and a half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:337
+#: sssd-krb5.5.xml:340
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:344
+#: sssd-krb5.5.xml:347
 msgid "krb5_renew_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:347
+#: sssd-krb5.5.xml:350
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:352
+#: sssd-krb5.5.xml:355
 msgid "If this option is not set or 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:362
+#: sssd-krb5.5.xml:365
 msgid "krb5_use_fast (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:365
+#: sssd-krb5.5.xml:368
 msgid ""
 "Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
 "authentication. The following options are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:370
+#: sssd-krb5.5.xml:373
 msgid ""
 "<emphasis>never</emphasis> use FAST, this is equivalent to not set this "
 "option at all."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:374
+#: sssd-krb5.5.xml:377
 msgid ""
 "<emphasis>try</emphasis> to use FAST, if the server does not support fast "
 "continue without."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:378
+#: sssd-krb5.5.xml:381
 msgid ""
 "<emphasis>demand</emphasis> to use FAST, fail if the server does not require "
 "fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:382
+#: sssd-krb5.5.xml:385
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:385
+#: sssd-krb5.5.xml:388
 msgid "Please note that a keytab is required to use fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:388
+#: sssd-krb5.5.xml:391
 msgid ""
 "Please note also that sssd supports fast only with MIT Kerberos version 1.8 "
 "and above. If sssd used used with an older version using this option is a "
@@ -4461,7 +4506,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:407
+#: sssd-krb5.5.xml:410
 msgid ""
 "The following example assumes that SSSD is correctly configured and FOO is "
 "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
@@ -4470,7 +4515,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-krb5.5.xml:415
+#: sssd-krb5.5.xml:418
 #, no-wrap
 msgid ""
 "    [domain/FOO]\n"
@@ -4480,7 +4525,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:426
+#: sssd-krb5.5.xml:429
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
diff --git a/src/man/po/mai.po b/src/man/po/mai.po
index cc341451..6f11ee50 100644
--- a/src/man/po/mai.po
+++ b/src/man/po/mai.po
@@ -2,12 +2,13 @@
 # Copyright (C) YEAR Red Hat
 # This file is distributed under the same license as the sssd-docs package.
 #
+# Translators:
 msgid ""
 msgstr ""
 "Project-Id-Version: SSSD\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2011-08-29 10:42-0300\n"
-"PO-Revision-Date: 2011-08-05 11:39+0000\n"
+"POT-Creation-Date: 2011-10-18 13:34-0300\n"
+"PO-Revision-Date: 2010-12-23 15:35+0000\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Maithili (http://www.transifex.net/projects/p/fedora/team/"
 "mai/)\n"
@@ -53,7 +54,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:41
+#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:44
 #: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21
 #: sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_useradd.8.xml:30
 #: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30
@@ -69,7 +70,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:39 pam_sss.8.xml:48 sssd.8.xml:42 sss_obfuscate.8.xml:58
+#: sss_groupmod.8.xml:39 pam_sss.8.xml:51 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
 msgid "OPTIONS"
@@ -105,10 +106,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1106 sssd-ldap.5.xml:1432
-#: pam_sss.8.xml:128 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
+#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1130 sssd-ldap.5.xml:1432
+#: pam_sss.8.xml:139 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
 #: sssd-ipa.5.xml:248 sssd.8.xml:166 sss_obfuscate.8.xml:103
-#: sss_useradd.8.xml:167 sssd-krb5.5.xml:424 sss_groupadd.8.xml:58
+#: sss_useradd.8.xml:167 sssd-krb5.5.xml:427 sss_groupadd.8.xml:58
 #: sss_userdel.8.xml:93 sss_groupdel.8.xml:46 sss_groupshow.8.xml:58
 #: sss_usermod.8.xml:138
 msgid "SEE ALSO"
@@ -214,7 +215,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:70 sssd.conf.5.xml:952
+#: sssd.conf.5.xml:70 sssd.conf.5.xml:976
 msgid "Section parameters"
 msgstr ""
 
@@ -247,19 +248,19 @@ msgid "Supported services: nss, pam"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:93 sssd.conf.5.xml:234
+#: sssd.conf.5.xml:93 sssd.conf.5.xml:254
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:96 sssd.conf.5.xml:237
+#: sssd.conf.5.xml:96 sssd.conf.5.xml:257
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:101 sssd.conf.5.xml:242
+#: sssd.conf.5.xml:101 sssd.conf.5.xml:262
 msgid "Default: 3"
 msgstr ""
 
@@ -366,6 +367,32 @@ msgid ""
 "unavailable. On these platforms, polling will always be used."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:189
+msgid "krb5_rcache_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:192
+msgid ""
+"Directory on the filesystem where SSSD should store Kerberos replay cache "
+"files."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:196
+msgid ""
+"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
+"SSSD to let libkrb5 decide the appropriate location for the replay cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:202
+msgid ""
+"Default: Distribution-specific and specified at build-time. "
+"(__LIBKRB5_DEFAULTS__ if not configured)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:63
 msgid ""
@@ -378,12 +405,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:195
+#: sssd.conf.5.xml:215
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:197
+#: sssd.conf.5.xml:217
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -392,55 +419,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:204
+#: sssd.conf.5.xml:224
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:206
+#: sssd.conf.5.xml:226
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:210
+#: sssd.conf.5.xml:230
 msgid "debug_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:213
+#: sssd.conf.5.xml:233
 msgid ""
 "Sets the debug level for the service. The value can be in range from 0 (only "
 "critical messages) to 10 (very verbose)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:218 sssd.conf.5.xml:312
+#: sssd.conf.5.xml:238 sssd.conf.5.xml:332
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:223 sssd.8.xml:58
+#: sssd.conf.5.xml:243 sssd.8.xml:58
 msgid "debug_timestamps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:226 sssd.8.xml:61
+#: sssd.conf.5.xml:246 sssd.8.xml:61
 msgid "Add a timestamp to the debug messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:229 sssd.conf.5.xml:353 sssd-ldap.5.xml:1058
+#: sssd.conf.5.xml:249 sssd.conf.5.xml:373 sssd-ldap.5.xml:1058
 #: sssd-ldap.5.xml:1163 sssd-ipa.5.xml:155
 msgid "Default: true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:247
+#: sssd.conf.5.xml:267
 msgid "command (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:250
+#: sssd.conf.5.xml:270
 msgid ""
 "By default, the executable representing this service is called <command>sssd_"
 "${service_name}</command>.  This directive allows to change the executable "
@@ -449,45 +476,45 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:258
+#: sssd.conf.5.xml:278
 msgid "Default: <command>sssd_${service_name}</command>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:266
+#: sssd.conf.5.xml:286
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:268
+#: sssd.conf.5.xml:288
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:273
+#: sssd.conf.5.xml:293
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:276
+#: sssd.conf.5.xml:296
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:280
+#: sssd.conf.5.xml:300
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:285
+#: sssd.conf.5.xml:305
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:288
+#: sssd.conf.5.xml:308
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -495,7 +522,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:294
+#: sssd.conf.5.xml:314
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -505,7 +532,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304
+#: sssd.conf.5.xml:324
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -514,12 +541,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:317
+#: sssd.conf.5.xml:337
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:320
+#: sssd.conf.5.xml:340
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -527,17 +554,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:326 sssd-krb5.5.xml:223
+#: sssd.conf.5.xml:346 sssd-krb5.5.xml:223
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:331
+#: sssd.conf.5.xml:351
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:334
+#: sssd.conf.5.xml:354
 msgid ""
 "Exclude certain users from being fetched from the sss NSS database. This is "
 "particularly useful for system accounts. This option can also be set per-"
@@ -546,78 +573,78 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:341
+#: sssd.conf.5.xml:361
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:346
+#: sssd.conf.5.xml:366
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:369
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:358
+#: sssd.conf.5.xml:378
 msgid "override_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:367 sssd-krb5.5.xml:166
+#: sssd.conf.5.xml:387 sssd-krb5.5.xml:166
 msgid "%u"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:368 sssd-krb5.5.xml:167
+#: sssd.conf.5.xml:388 sssd-krb5.5.xml:167
 msgid "login name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:371 sssd-krb5.5.xml:170
+#: sssd.conf.5.xml:391 sssd-krb5.5.xml:170
 msgid "%U"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:392
 msgid "UID number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:375 sssd-krb5.5.xml:188
+#: sssd.conf.5.xml:395 sssd-krb5.5.xml:188
 msgid "%d"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:376
+#: sssd.conf.5.xml:396
 msgid "domain name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:379
+#: sssd.conf.5.xml:399
 msgid "%f"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:380
+#: sssd.conf.5.xml:400
 msgid "fully qualified user name (user@domain)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:383 sssd-krb5.5.xml:200
+#: sssd.conf.5.xml:403 sssd-krb5.5.xml:200
 msgid "%%"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:384 sssd-krb5.5.xml:201
+#: sssd.conf.5.xml:404 sssd-krb5.5.xml:201
 msgid "a literal '%'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:361
+#: sssd.conf.5.xml:381
 msgid ""
 "Override the user's home directory. You can either provide an absolute value "
 "or a template. In the template, the following sequences are substituted: "
@@ -625,138 +652,138 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:390
+#: sssd.conf.5.xml:410
 msgid "This option can also be set per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:395
+#: sssd.conf.5.xml:415
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:398
+#: sssd.conf.5.xml:418
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:401
+#: sssd.conf.5.xml:421
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:405
+#: sssd.conf.5.xml:425
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:410
+#: sssd.conf.5.xml:430
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:415
+#: sssd.conf.5.xml:435
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:418
+#: sssd.conf.5.xml:438
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:422
+#: sssd.conf.5.xml:442
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:427
+#: sssd.conf.5.xml:447
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:430
+#: sssd.conf.5.xml:450
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:435
+#: sssd.conf.5.xml:455
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:438
+#: sssd.conf.5.xml:458
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:442
+#: sssd.conf.5.xml:462
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:469
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:451
+#: sssd.conf.5.xml:471
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:456
+#: sssd.conf.5.xml:476
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:459
+#: sssd.conf.5.xml:479
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:464 sssd.conf.5.xml:477
+#: sssd.conf.5.xml:484 sssd.conf.5.xml:497
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:490
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:473
+#: sssd.conf.5.xml:493
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:483
+#: sssd.conf.5.xml:503
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:506
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:491
+#: sssd.conf.5.xml:511
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -764,59 +791,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:497 sssd.conf.5.xml:550 sssd.conf.5.xml:882
+#: sssd.conf.5.xml:517 sssd.conf.5.xml:570 sssd.conf.5.xml:906
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:523
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:506
+#: sssd.conf.5.xml:526
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:511
+#: sssd.conf.5.xml:531
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:514
+#: sssd.conf.5.xml:534
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:517
+#: sssd.conf.5.xml:537
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:541
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:524
+#: sssd.conf.5.xml:544
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:528
+#: sssd.conf.5.xml:548
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:533
+#: sssd.conf.5.xml:553
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:536
+#: sssd.conf.5.xml:556
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -824,7 +851,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:542
+#: sssd.conf.5.xml:562
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -833,17 +860,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:556
+#: sssd.conf.5.xml:576
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:559
+#: sssd.conf.5.xml:579
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:562
+#: sssd.conf.5.xml:582
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -851,29 +878,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:588
 msgid "Default: 7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:577
+#: sssd.conf.5.xml:597
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:584
+#: sssd.conf.5.xml:604
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:587
+#: sssd.conf.5.xml:607
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:592
+#: sssd.conf.5.xml:612
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -882,56 +909,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:599
+#: sssd.conf.5.xml:619
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:625
 msgid "timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:608
+#: sssd.conf.5.xml:628
 msgid ""
 "Timeout in seconds between heartbeats for this domain.  This is used to "
 "ensure that the backend process is alive and capable of answering requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:633
 msgid "Default: 10"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:639
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:642
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:626
+#: sssd.conf.5.xml:646
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:629
+#: sssd.conf.5.xml:649
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:632 sssd.conf.5.xml:680 sssd.conf.5.xml:734
+#: sssd.conf.5.xml:652 sssd.conf.5.xml:704 sssd.conf.5.xml:758
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:635
+#: sssd.conf.5.xml:655
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -941,14 +968,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:645
+#: sssd.conf.5.xml:665
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:650
+#: sssd.conf.5.xml:670
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -957,39 +984,44 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:661
+#: sssd.conf.5.xml:681
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:664
+#: sssd.conf.5.xml:684
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:688
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:693
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676
+#: sssd.conf.5.xml:696
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:700
+msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:685
+#: sssd.conf.5.xml:709
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:688
+#: sssd.conf.5.xml:712
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -998,47 +1030,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:695
+#: sssd.conf.5.xml:719
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:725
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:728
 msgid "The Data Provider identity backend to use for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:708
+#: sssd.conf.5.xml:732
 msgid "Supported backends:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:711
+#: sssd.conf.5.xml:735
 msgid "proxy: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:714
+#: sssd.conf.5.xml:738
 msgid "local: SSSD internal local provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:717
+#: sssd.conf.5.xml:741
 msgid "ldap: LDAP provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:747
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:750
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -1047,19 +1079,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:739
+#: sssd.conf.5.xml:763
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:766
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:746
+#: sssd.conf.5.xml:770
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1067,7 +1099,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:777
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1075,30 +1107,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:784
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:787
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:766
+#: sssd.conf.5.xml:790
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:796
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:775
+#: sssd.conf.5.xml:799
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -1106,17 +1138,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:781
+#: sssd.conf.5.xml:805
 msgid "<quote>permit</quote> always allow access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:784
+#: sssd.conf.5.xml:808
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:811
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -1125,24 +1157,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:818
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:823
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:826
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:831
 msgid ""
 "<quote>ipa</quote> to change a password stored in an IPA server.  See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -1150,7 +1182,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:815
+#: sssd.conf.5.xml:839
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -1158,7 +1190,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:823
+#: sssd.conf.5.xml:847
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1166,72 +1198,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:831
+#: sssd.conf.5.xml:855
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:835
+#: sssd.conf.5.xml:859
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838
+#: sssd.conf.5.xml:862
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:845
+#: sssd.conf.5.xml:869
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:848
+#: sssd.conf.5.xml:872
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:876
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:855
+#: sssd.conf.5.xml:879
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:858
+#: sssd.conf.5.xml:882
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:861
+#: sssd.conf.5.xml:885
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:864
+#: sssd.conf.5.xml:888
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:867
+#: sssd.conf.5.xml:891
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:873
+#: sssd.conf.5.xml:897
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:876
+#: sssd.conf.5.xml:900
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -1239,34 +1271,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:912
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:891
+#: sssd.conf.5.xml:915
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:919
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:901
+#: sssd.conf.5.xml:925
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:904
+#: sssd.conf.5.xml:928
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:579
+#: sssd.conf.5.xml:599
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -1274,29 +1306,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:940
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:943
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:922
+#: sssd.conf.5.xml:946
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:954
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:933
+#: sssd.conf.5.xml:957
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -1304,19 +1336,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:912
+#: sssd.conf.5.xml:936
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:945
+#: sssd.conf.5.xml:969
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:971
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -1324,73 +1356,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:954
+#: sssd.conf.5.xml:978
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:981
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:985
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:966
+#: sssd.conf.5.xml:990
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:969
+#: sssd.conf.5.xml:993
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974
+#: sssd.conf.5.xml:998
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1003
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1006
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986 sssd.conf.5.xml:998
+#: sssd.conf.5.xml:1010 sssd.conf.5.xml:1022
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:991
+#: sssd.conf.5.xml:1015
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:994
+#: sssd.conf.5.xml:1018
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1003
+#: sssd.conf.5.xml:1027
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1030
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -1398,17 +1430,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014
+#: sssd.conf.5.xml:1038
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1043
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1022
+#: sssd.conf.5.xml:1046
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -1417,17 +1449,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:1056
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1037
+#: sssd.conf.5.xml:1061
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1040
+#: sssd.conf.5.xml:1064
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -1435,17 +1467,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1047
+#: sssd.conf.5.xml:1071
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1076
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1055
+#: sssd.conf.5.xml:1079
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -1453,18 +1485,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1061
+#: sssd.conf.5.xml:1085
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1071 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
-#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:405
+#: sssd.conf.5.xml:1095 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
+#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:408
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:1077
+#: sssd.conf.5.xml:1101
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -1494,7 +1526,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1073
+#: sssd.conf.5.xml:1097
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -1503,7 +1535,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1108
+#: sssd.conf.5.xml:1132
 msgid ""
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
@@ -1603,10 +1635,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:88
 msgid ""
-"Specifies the list of URIs of the LDAP servers to which SSSD should connect "
-"in the order of preference to change the password of a user. Refer to the "
-"<quote>FAILOVER</quote> section for more information on failover and server "
-"redundancy."
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference to change the password of a user. "
+"Refer to the <quote>FAILOVER</quote> section for more information on "
+"failover and server redundancy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -2086,7 +2118,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:519 sssd-ldap.5.xml:990 sssd-ipa.5.xml:115 sssd.8.xml:64
-#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:266
+#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:269
 msgid "Default: false"
 msgstr ""
 
@@ -2527,7 +2559,7 @@ msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:356
+#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:359
 msgid "Default: not set"
 msgstr ""
 
@@ -2668,12 +2700,13 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:1080 sssd-krb5.5.xml:77
 msgid ""
-"Specifies the list of IP addresses or hostnames of the Kerberos servers to "
-"which SSSD should connect in the order of preference. For more information "
-"on failover and server redundancy, see the <quote>FAILOVER</quote> section. "
-"An optional port number (preceded by a colon) may be appended to the "
-"addresses or hostnames.  If empty, service discovery is enabled - for more "
-"information, refer to the <quote>SERVICE DISCOVERY</quote> section."
+"Specifies the comma-separated list of IP addresses or hostnames of the "
+"Kerberos servers to which SSSD should connect in the order of preference. "
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
+"colon) may be appended to the addresses or hostnames.  If empty, service "
+"discovery is enabled - for more information, refer to the <quote>SERVICE "
+"DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -3058,7 +3091,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ldap.5.xml:1407 sssd-simple.5.xml:134 sssd-ipa.5.xml:238
-#: sssd-krb5.5.xml:414
+#: sssd-krb5.5.xml:417
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -3105,7 +3138,8 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
 #: pam_sss.8.xml:24
 msgid ""
-"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>forward_pass</"
+"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
@@ -3113,7 +3147,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:42
+#: pam_sss.8.xml:45
 msgid ""
 "<command>pam_sss.so</command> is the PAM interface to the System Security "
 "Services daemon (SSSD). Errors and results are logged through <command>syslog"
@@ -3121,24 +3155,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:52
+#: pam_sss.8.xml:55
+msgid "<option>quiet</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:58
+msgid "Suppress log messages for unknown users."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:63
 msgid "<option>forward_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:55
+#: pam_sss.8.xml:66
 msgid ""
 "If <option>forward_pass</option> is set the entered password is put on the "
 "stack for other PAM modules to use."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:62
+#: pam_sss.8.xml:73
 msgid "<option>use_first_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:65
+#: pam_sss.8.xml:76
 msgid ""
 "The argument use_first_pass forces the module to use a previous stacked "
 "modules password and will never prompt the user - if no password is "
@@ -3146,31 +3190,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:73
+#: pam_sss.8.xml:84
 msgid "<option>use_authtok</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:76
+#: pam_sss.8.xml:87
 msgid ""
 "When password changing enforce the module to set the new password to the one "
 "provided by a previously stacked password module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:83
+#: pam_sss.8.xml:94
 msgid "<option>retry=N</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:86
+#: pam_sss.8.xml:97
 msgid ""
 "If specified the user is asked another N times for a password if "
 "authentication fails. Default is 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:88
+#: pam_sss.8.xml:99
 msgid ""
 "Please note that this option might not work as expected if the application "
 "calling PAM handles the user dialog on its own. A typical example is "
@@ -3178,24 +3222,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:99
+#: pam_sss.8.xml:110
 msgid "MODULE TYPES PROVIDED"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:100
+#: pam_sss.8.xml:111
 msgid ""
 "All module types (<option>account</option>, <option>auth</option>, "
 "<option>password</option> and <option>session</option>) are provided."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:106
+#: pam_sss.8.xml:117
 msgid "FILES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:107
+#: pam_sss.8.xml:118
 msgid ""
 "If a password reset by root fails, because the corresponding SSSD provider "
 "does not support password resets, an individual message can be displayed. "
@@ -3203,7 +3247,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:112
+#: pam_sss.8.xml:123
 msgid ""
 "The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
 "filename> where LOC stands for a locale string returned by <citerefentry> "
@@ -3215,7 +3259,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:122
+#: pam_sss.8.xml:133
 msgid ""
 "These files are searched in the directory <filename>/etc/sssd/customize/"
 "DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
@@ -3223,7 +3267,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:130
+#: pam_sss.8.xml:141
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>8</"
 "manvolnum> </citerefentry>"
@@ -3483,11 +3527,11 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ipa.5.xml:83
 msgid ""
-"The list of IP addresses or hostnames of the IPA servers to which SSSD "
-"should connect in the order of preference. For more information on failover "
-"and server redundancy, see the <quote>FAILOVER</quote> section.  This is "
-"optional if autodiscovery is enabled.  For more information on service "
-"discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
+"The comma-separated list of IP addresses or hostnames of the IPA servers to "
+"which SSSD should connect in the order of preference. For more information "
+"on failover and server redundancy, see the <quote>FAILOVER</quote> section.  "
+"This is optional if autodiscovery is enabled.  For more information on "
+"service discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
@@ -4303,48 +4347,50 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:262
 msgid ""
-"Please note that this feature currently only available on a Linux platform."
+"Please note that this feature currently only available on a Linux platform. "
+"Passwords stored in this way are kept in plaintext in the kernel keyring and "
+"are potentially accessible by the root user (with difficulty)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:272
+#: sssd-krb5.5.xml:275
 msgid "krb5_renewable_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:275
+#: sssd-krb5.5.xml:278
 msgid ""
 "Request a renewable ticket with a total lifetime given by an integer "
 "immediately followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:280 sssd-krb5.5.xml:316
+#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
 msgid "<emphasis>s</emphasis> seconds"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
+#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
 msgid "<emphasis>m</emphasis> minutes"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
+#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
 msgid "<emphasis>h</emphasis> hours"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
+#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
 msgid "<emphasis>d</emphasis> days."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
+#: sssd-krb5.5.xml:295 sssd-krb5.5.xml:331
 msgid "If there is no delimiter <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:296
+#: sssd-krb5.5.xml:299
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "renewable lifetime to one and a half hours please use '90m' instead of "
@@ -4352,97 +4398,97 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:302
+#: sssd-krb5.5.xml:305
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:308
+#: sssd-krb5.5.xml:311
 msgid "krb5_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:311
+#: sssd-krb5.5.xml:314
 msgid ""
 "Request ticket with a with a lifetime given by an integer immediately "
 "followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:332
+#: sssd-krb5.5.xml:335
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "lifetime to one and a half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:337
+#: sssd-krb5.5.xml:340
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:344
+#: sssd-krb5.5.xml:347
 msgid "krb5_renew_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:347
+#: sssd-krb5.5.xml:350
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:352
+#: sssd-krb5.5.xml:355
 msgid "If this option is not set or 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:362
+#: sssd-krb5.5.xml:365
 msgid "krb5_use_fast (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:365
+#: sssd-krb5.5.xml:368
 msgid ""
 "Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
 "authentication. The following options are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:370
+#: sssd-krb5.5.xml:373
 msgid ""
 "<emphasis>never</emphasis> use FAST, this is equivalent to not set this "
 "option at all."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:374
+#: sssd-krb5.5.xml:377
 msgid ""
 "<emphasis>try</emphasis> to use FAST, if the server does not support fast "
 "continue without."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:378
+#: sssd-krb5.5.xml:381
 msgid ""
 "<emphasis>demand</emphasis> to use FAST, fail if the server does not require "
 "fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:382
+#: sssd-krb5.5.xml:385
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:385
+#: sssd-krb5.5.xml:388
 msgid "Please note that a keytab is required to use fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:388
+#: sssd-krb5.5.xml:391
 msgid ""
 "Please note also that sssd supports fast only with MIT Kerberos version 1.8 "
 "and above. If sssd used used with an older version using this option is a "
@@ -4460,7 +4506,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:407
+#: sssd-krb5.5.xml:410
 msgid ""
 "The following example assumes that SSSD is correctly configured and FOO is "
 "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
@@ -4469,7 +4515,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-krb5.5.xml:415
+#: sssd-krb5.5.xml:418
 #, no-wrap
 msgid ""
 "    [domain/FOO]\n"
@@ -4479,7 +4525,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:426
+#: sssd-krb5.5.xml:429
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
diff --git a/src/man/po/ml.po b/src/man/po/ml.po
index 30ee2cd0..b2afc117 100644
--- a/src/man/po/ml.po
+++ b/src/man/po/ml.po
@@ -2,12 +2,13 @@
 # Copyright (C) YEAR Red Hat
 # This file is distributed under the same license as the sssd-docs package.
 #
+# Translators:
 msgid ""
 msgstr ""
 "Project-Id-Version: SSSD\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2011-08-29 10:42-0300\n"
-"PO-Revision-Date: 2011-08-05 11:40+0000\n"
+"POT-Creation-Date: 2011-10-18 13:34-0300\n"
+"PO-Revision-Date: 2010-12-23 15:35+0000\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Malayalam <discuss@lists.smc.org.in>\n"
 "Language: ml\n"
@@ -52,7 +53,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:41
+#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:44
 #: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21
 #: sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_useradd.8.xml:30
 #: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30
@@ -68,7 +69,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:39 pam_sss.8.xml:48 sssd.8.xml:42 sss_obfuscate.8.xml:58
+#: sss_groupmod.8.xml:39 pam_sss.8.xml:51 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
 msgid "OPTIONS"
@@ -104,10 +105,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1106 sssd-ldap.5.xml:1432
-#: pam_sss.8.xml:128 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
+#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1130 sssd-ldap.5.xml:1432
+#: pam_sss.8.xml:139 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
 #: sssd-ipa.5.xml:248 sssd.8.xml:166 sss_obfuscate.8.xml:103
-#: sss_useradd.8.xml:167 sssd-krb5.5.xml:424 sss_groupadd.8.xml:58
+#: sss_useradd.8.xml:167 sssd-krb5.5.xml:427 sss_groupadd.8.xml:58
 #: sss_userdel.8.xml:93 sss_groupdel.8.xml:46 sss_groupshow.8.xml:58
 #: sss_usermod.8.xml:138
 msgid "SEE ALSO"
@@ -213,7 +214,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:70 sssd.conf.5.xml:952
+#: sssd.conf.5.xml:70 sssd.conf.5.xml:976
 msgid "Section parameters"
 msgstr ""
 
@@ -246,19 +247,19 @@ msgid "Supported services: nss, pam"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:93 sssd.conf.5.xml:234
+#: sssd.conf.5.xml:93 sssd.conf.5.xml:254
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:96 sssd.conf.5.xml:237
+#: sssd.conf.5.xml:96 sssd.conf.5.xml:257
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:101 sssd.conf.5.xml:242
+#: sssd.conf.5.xml:101 sssd.conf.5.xml:262
 msgid "Default: 3"
 msgstr ""
 
@@ -365,6 +366,32 @@ msgid ""
 "unavailable. On these platforms, polling will always be used."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:189
+msgid "krb5_rcache_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:192
+msgid ""
+"Directory on the filesystem where SSSD should store Kerberos replay cache "
+"files."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:196
+msgid ""
+"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
+"SSSD to let libkrb5 decide the appropriate location for the replay cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:202
+msgid ""
+"Default: Distribution-specific and specified at build-time. "
+"(__LIBKRB5_DEFAULTS__ if not configured)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:63
 msgid ""
@@ -377,12 +404,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:195
+#: sssd.conf.5.xml:215
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:197
+#: sssd.conf.5.xml:217
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -391,55 +418,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:204
+#: sssd.conf.5.xml:224
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:206
+#: sssd.conf.5.xml:226
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:210
+#: sssd.conf.5.xml:230
 msgid "debug_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:213
+#: sssd.conf.5.xml:233
 msgid ""
 "Sets the debug level for the service. The value can be in range from 0 (only "
 "critical messages) to 10 (very verbose)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:218 sssd.conf.5.xml:312
+#: sssd.conf.5.xml:238 sssd.conf.5.xml:332
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:223 sssd.8.xml:58
+#: sssd.conf.5.xml:243 sssd.8.xml:58
 msgid "debug_timestamps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:226 sssd.8.xml:61
+#: sssd.conf.5.xml:246 sssd.8.xml:61
 msgid "Add a timestamp to the debug messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:229 sssd.conf.5.xml:353 sssd-ldap.5.xml:1058
+#: sssd.conf.5.xml:249 sssd.conf.5.xml:373 sssd-ldap.5.xml:1058
 #: sssd-ldap.5.xml:1163 sssd-ipa.5.xml:155
 msgid "Default: true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:247
+#: sssd.conf.5.xml:267
 msgid "command (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:250
+#: sssd.conf.5.xml:270
 msgid ""
 "By default, the executable representing this service is called <command>sssd_"
 "${service_name}</command>.  This directive allows to change the executable "
@@ -448,45 +475,45 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:258
+#: sssd.conf.5.xml:278
 msgid "Default: <command>sssd_${service_name}</command>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:266
+#: sssd.conf.5.xml:286
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:268
+#: sssd.conf.5.xml:288
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:273
+#: sssd.conf.5.xml:293
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:276
+#: sssd.conf.5.xml:296
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:280
+#: sssd.conf.5.xml:300
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:285
+#: sssd.conf.5.xml:305
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:288
+#: sssd.conf.5.xml:308
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -494,7 +521,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:294
+#: sssd.conf.5.xml:314
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -504,7 +531,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304
+#: sssd.conf.5.xml:324
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -513,12 +540,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:317
+#: sssd.conf.5.xml:337
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:320
+#: sssd.conf.5.xml:340
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -526,17 +553,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:326 sssd-krb5.5.xml:223
+#: sssd.conf.5.xml:346 sssd-krb5.5.xml:223
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:331
+#: sssd.conf.5.xml:351
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:334
+#: sssd.conf.5.xml:354
 msgid ""
 "Exclude certain users from being fetched from the sss NSS database. This is "
 "particularly useful for system accounts. This option can also be set per-"
@@ -545,78 +572,78 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:341
+#: sssd.conf.5.xml:361
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:346
+#: sssd.conf.5.xml:366
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:369
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:358
+#: sssd.conf.5.xml:378
 msgid "override_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:367 sssd-krb5.5.xml:166
+#: sssd.conf.5.xml:387 sssd-krb5.5.xml:166
 msgid "%u"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:368 sssd-krb5.5.xml:167
+#: sssd.conf.5.xml:388 sssd-krb5.5.xml:167
 msgid "login name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:371 sssd-krb5.5.xml:170
+#: sssd.conf.5.xml:391 sssd-krb5.5.xml:170
 msgid "%U"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:392
 msgid "UID number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:375 sssd-krb5.5.xml:188
+#: sssd.conf.5.xml:395 sssd-krb5.5.xml:188
 msgid "%d"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:376
+#: sssd.conf.5.xml:396
 msgid "domain name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:379
+#: sssd.conf.5.xml:399
 msgid "%f"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:380
+#: sssd.conf.5.xml:400
 msgid "fully qualified user name (user@domain)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:383 sssd-krb5.5.xml:200
+#: sssd.conf.5.xml:403 sssd-krb5.5.xml:200
 msgid "%%"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:384 sssd-krb5.5.xml:201
+#: sssd.conf.5.xml:404 sssd-krb5.5.xml:201
 msgid "a literal '%'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:361
+#: sssd.conf.5.xml:381
 msgid ""
 "Override the user's home directory. You can either provide an absolute value "
 "or a template. In the template, the following sequences are substituted: "
@@ -624,138 +651,138 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:390
+#: sssd.conf.5.xml:410
 msgid "This option can also be set per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:395
+#: sssd.conf.5.xml:415
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:398
+#: sssd.conf.5.xml:418
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:401
+#: sssd.conf.5.xml:421
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:405
+#: sssd.conf.5.xml:425
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:410
+#: sssd.conf.5.xml:430
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:415
+#: sssd.conf.5.xml:435
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:418
+#: sssd.conf.5.xml:438
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:422
+#: sssd.conf.5.xml:442
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:427
+#: sssd.conf.5.xml:447
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:430
+#: sssd.conf.5.xml:450
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:435
+#: sssd.conf.5.xml:455
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:438
+#: sssd.conf.5.xml:458
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:442
+#: sssd.conf.5.xml:462
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:469
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:451
+#: sssd.conf.5.xml:471
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:456
+#: sssd.conf.5.xml:476
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:459
+#: sssd.conf.5.xml:479
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:464 sssd.conf.5.xml:477
+#: sssd.conf.5.xml:484 sssd.conf.5.xml:497
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:490
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:473
+#: sssd.conf.5.xml:493
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:483
+#: sssd.conf.5.xml:503
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:506
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:491
+#: sssd.conf.5.xml:511
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -763,59 +790,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:497 sssd.conf.5.xml:550 sssd.conf.5.xml:882
+#: sssd.conf.5.xml:517 sssd.conf.5.xml:570 sssd.conf.5.xml:906
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:523
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:506
+#: sssd.conf.5.xml:526
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:511
+#: sssd.conf.5.xml:531
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:514
+#: sssd.conf.5.xml:534
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:517
+#: sssd.conf.5.xml:537
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:541
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:524
+#: sssd.conf.5.xml:544
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:528
+#: sssd.conf.5.xml:548
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:533
+#: sssd.conf.5.xml:553
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:536
+#: sssd.conf.5.xml:556
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -823,7 +850,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:542
+#: sssd.conf.5.xml:562
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -832,17 +859,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:556
+#: sssd.conf.5.xml:576
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:559
+#: sssd.conf.5.xml:579
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:562
+#: sssd.conf.5.xml:582
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -850,29 +877,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:588
 msgid "Default: 7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:577
+#: sssd.conf.5.xml:597
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:584
+#: sssd.conf.5.xml:604
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:587
+#: sssd.conf.5.xml:607
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:592
+#: sssd.conf.5.xml:612
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -881,56 +908,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:599
+#: sssd.conf.5.xml:619
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:625
 msgid "timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:608
+#: sssd.conf.5.xml:628
 msgid ""
 "Timeout in seconds between heartbeats for this domain.  This is used to "
 "ensure that the backend process is alive and capable of answering requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:633
 msgid "Default: 10"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:639
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:642
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:626
+#: sssd.conf.5.xml:646
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:629
+#: sssd.conf.5.xml:649
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:632 sssd.conf.5.xml:680 sssd.conf.5.xml:734
+#: sssd.conf.5.xml:652 sssd.conf.5.xml:704 sssd.conf.5.xml:758
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:635
+#: sssd.conf.5.xml:655
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -940,14 +967,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:645
+#: sssd.conf.5.xml:665
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:650
+#: sssd.conf.5.xml:670
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -956,39 +983,44 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:661
+#: sssd.conf.5.xml:681
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:664
+#: sssd.conf.5.xml:684
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:688
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:693
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676
+#: sssd.conf.5.xml:696
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:700
+msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:685
+#: sssd.conf.5.xml:709
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:688
+#: sssd.conf.5.xml:712
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -997,47 +1029,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:695
+#: sssd.conf.5.xml:719
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:725
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:728
 msgid "The Data Provider identity backend to use for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:708
+#: sssd.conf.5.xml:732
 msgid "Supported backends:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:711
+#: sssd.conf.5.xml:735
 msgid "proxy: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:714
+#: sssd.conf.5.xml:738
 msgid "local: SSSD internal local provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:717
+#: sssd.conf.5.xml:741
 msgid "ldap: LDAP provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:747
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:750
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -1046,19 +1078,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:739
+#: sssd.conf.5.xml:763
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:766
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:746
+#: sssd.conf.5.xml:770
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1066,7 +1098,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:777
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1074,30 +1106,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:784
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:787
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:766
+#: sssd.conf.5.xml:790
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:796
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:775
+#: sssd.conf.5.xml:799
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -1105,17 +1137,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:781
+#: sssd.conf.5.xml:805
 msgid "<quote>permit</quote> always allow access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:784
+#: sssd.conf.5.xml:808
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:811
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -1124,24 +1156,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:818
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:823
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:826
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:831
 msgid ""
 "<quote>ipa</quote> to change a password stored in an IPA server.  See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -1149,7 +1181,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:815
+#: sssd.conf.5.xml:839
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -1157,7 +1189,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:823
+#: sssd.conf.5.xml:847
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1165,72 +1197,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:831
+#: sssd.conf.5.xml:855
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:835
+#: sssd.conf.5.xml:859
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838
+#: sssd.conf.5.xml:862
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:845
+#: sssd.conf.5.xml:869
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:848
+#: sssd.conf.5.xml:872
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:876
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:855
+#: sssd.conf.5.xml:879
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:858
+#: sssd.conf.5.xml:882
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:861
+#: sssd.conf.5.xml:885
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:864
+#: sssd.conf.5.xml:888
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:867
+#: sssd.conf.5.xml:891
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:873
+#: sssd.conf.5.xml:897
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:876
+#: sssd.conf.5.xml:900
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -1238,34 +1270,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:912
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:891
+#: sssd.conf.5.xml:915
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:919
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:901
+#: sssd.conf.5.xml:925
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:904
+#: sssd.conf.5.xml:928
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:579
+#: sssd.conf.5.xml:599
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -1273,29 +1305,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:940
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:943
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:922
+#: sssd.conf.5.xml:946
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:954
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:933
+#: sssd.conf.5.xml:957
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -1303,19 +1335,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:912
+#: sssd.conf.5.xml:936
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:945
+#: sssd.conf.5.xml:969
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:971
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -1323,73 +1355,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:954
+#: sssd.conf.5.xml:978
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:981
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:985
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:966
+#: sssd.conf.5.xml:990
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:969
+#: sssd.conf.5.xml:993
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974
+#: sssd.conf.5.xml:998
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1003
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1006
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986 sssd.conf.5.xml:998
+#: sssd.conf.5.xml:1010 sssd.conf.5.xml:1022
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:991
+#: sssd.conf.5.xml:1015
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:994
+#: sssd.conf.5.xml:1018
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1003
+#: sssd.conf.5.xml:1027
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1030
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -1397,17 +1429,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014
+#: sssd.conf.5.xml:1038
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1043
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1022
+#: sssd.conf.5.xml:1046
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -1416,17 +1448,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:1056
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1037
+#: sssd.conf.5.xml:1061
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1040
+#: sssd.conf.5.xml:1064
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -1434,17 +1466,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1047
+#: sssd.conf.5.xml:1071
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1076
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1055
+#: sssd.conf.5.xml:1079
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -1452,18 +1484,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1061
+#: sssd.conf.5.xml:1085
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1071 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
-#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:405
+#: sssd.conf.5.xml:1095 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
+#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:408
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:1077
+#: sssd.conf.5.xml:1101
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -1493,7 +1525,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1073
+#: sssd.conf.5.xml:1097
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -1502,7 +1534,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1108
+#: sssd.conf.5.xml:1132
 msgid ""
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
@@ -1602,10 +1634,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:88
 msgid ""
-"Specifies the list of URIs of the LDAP servers to which SSSD should connect "
-"in the order of preference to change the password of a user. Refer to the "
-"<quote>FAILOVER</quote> section for more information on failover and server "
-"redundancy."
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference to change the password of a user. "
+"Refer to the <quote>FAILOVER</quote> section for more information on "
+"failover and server redundancy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -2085,7 +2117,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:519 sssd-ldap.5.xml:990 sssd-ipa.5.xml:115 sssd.8.xml:64
-#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:266
+#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:269
 msgid "Default: false"
 msgstr ""
 
@@ -2526,7 +2558,7 @@ msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:356
+#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:359
 msgid "Default: not set"
 msgstr ""
 
@@ -2667,12 +2699,13 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:1080 sssd-krb5.5.xml:77
 msgid ""
-"Specifies the list of IP addresses or hostnames of the Kerberos servers to "
-"which SSSD should connect in the order of preference. For more information "
-"on failover and server redundancy, see the <quote>FAILOVER</quote> section. "
-"An optional port number (preceded by a colon) may be appended to the "
-"addresses or hostnames.  If empty, service discovery is enabled - for more "
-"information, refer to the <quote>SERVICE DISCOVERY</quote> section."
+"Specifies the comma-separated list of IP addresses or hostnames of the "
+"Kerberos servers to which SSSD should connect in the order of preference. "
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
+"colon) may be appended to the addresses or hostnames.  If empty, service "
+"discovery is enabled - for more information, refer to the <quote>SERVICE "
+"DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -3057,7 +3090,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ldap.5.xml:1407 sssd-simple.5.xml:134 sssd-ipa.5.xml:238
-#: sssd-krb5.5.xml:414
+#: sssd-krb5.5.xml:417
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -3104,7 +3137,8 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
 #: pam_sss.8.xml:24
 msgid ""
-"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>forward_pass</"
+"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
@@ -3112,7 +3146,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:42
+#: pam_sss.8.xml:45
 msgid ""
 "<command>pam_sss.so</command> is the PAM interface to the System Security "
 "Services daemon (SSSD). Errors and results are logged through <command>syslog"
@@ -3120,24 +3154,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:52
+#: pam_sss.8.xml:55
+msgid "<option>quiet</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:58
+msgid "Suppress log messages for unknown users."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:63
 msgid "<option>forward_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:55
+#: pam_sss.8.xml:66
 msgid ""
 "If <option>forward_pass</option> is set the entered password is put on the "
 "stack for other PAM modules to use."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:62
+#: pam_sss.8.xml:73
 msgid "<option>use_first_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:65
+#: pam_sss.8.xml:76
 msgid ""
 "The argument use_first_pass forces the module to use a previous stacked "
 "modules password and will never prompt the user - if no password is "
@@ -3145,31 +3189,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:73
+#: pam_sss.8.xml:84
 msgid "<option>use_authtok</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:76
+#: pam_sss.8.xml:87
 msgid ""
 "When password changing enforce the module to set the new password to the one "
 "provided by a previously stacked password module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:83
+#: pam_sss.8.xml:94
 msgid "<option>retry=N</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:86
+#: pam_sss.8.xml:97
 msgid ""
 "If specified the user is asked another N times for a password if "
 "authentication fails. Default is 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:88
+#: pam_sss.8.xml:99
 msgid ""
 "Please note that this option might not work as expected if the application "
 "calling PAM handles the user dialog on its own. A typical example is "
@@ -3177,24 +3221,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:99
+#: pam_sss.8.xml:110
 msgid "MODULE TYPES PROVIDED"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:100
+#: pam_sss.8.xml:111
 msgid ""
 "All module types (<option>account</option>, <option>auth</option>, "
 "<option>password</option> and <option>session</option>) are provided."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:106
+#: pam_sss.8.xml:117
 msgid "FILES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:107
+#: pam_sss.8.xml:118
 msgid ""
 "If a password reset by root fails, because the corresponding SSSD provider "
 "does not support password resets, an individual message can be displayed. "
@@ -3202,7 +3246,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:112
+#: pam_sss.8.xml:123
 msgid ""
 "The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
 "filename> where LOC stands for a locale string returned by <citerefentry> "
@@ -3214,7 +3258,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:122
+#: pam_sss.8.xml:133
 msgid ""
 "These files are searched in the directory <filename>/etc/sssd/customize/"
 "DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
@@ -3222,7 +3266,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:130
+#: pam_sss.8.xml:141
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>8</"
 "manvolnum> </citerefentry>"
@@ -3482,11 +3526,11 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ipa.5.xml:83
 msgid ""
-"The list of IP addresses or hostnames of the IPA servers to which SSSD "
-"should connect in the order of preference. For more information on failover "
-"and server redundancy, see the <quote>FAILOVER</quote> section.  This is "
-"optional if autodiscovery is enabled.  For more information on service "
-"discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
+"The comma-separated list of IP addresses or hostnames of the IPA servers to "
+"which SSSD should connect in the order of preference. For more information "
+"on failover and server redundancy, see the <quote>FAILOVER</quote> section.  "
+"This is optional if autodiscovery is enabled.  For more information on "
+"service discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
@@ -4302,48 +4346,50 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:262
 msgid ""
-"Please note that this feature currently only available on a Linux platform."
+"Please note that this feature currently only available on a Linux platform. "
+"Passwords stored in this way are kept in plaintext in the kernel keyring and "
+"are potentially accessible by the root user (with difficulty)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:272
+#: sssd-krb5.5.xml:275
 msgid "krb5_renewable_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:275
+#: sssd-krb5.5.xml:278
 msgid ""
 "Request a renewable ticket with a total lifetime given by an integer "
 "immediately followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:280 sssd-krb5.5.xml:316
+#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
 msgid "<emphasis>s</emphasis> seconds"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
+#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
 msgid "<emphasis>m</emphasis> minutes"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
+#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
 msgid "<emphasis>h</emphasis> hours"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
+#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
 msgid "<emphasis>d</emphasis> days."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
+#: sssd-krb5.5.xml:295 sssd-krb5.5.xml:331
 msgid "If there is no delimiter <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:296
+#: sssd-krb5.5.xml:299
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "renewable lifetime to one and a half hours please use '90m' instead of "
@@ -4351,97 +4397,97 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:302
+#: sssd-krb5.5.xml:305
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:308
+#: sssd-krb5.5.xml:311
 msgid "krb5_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:311
+#: sssd-krb5.5.xml:314
 msgid ""
 "Request ticket with a with a lifetime given by an integer immediately "
 "followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:332
+#: sssd-krb5.5.xml:335
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "lifetime to one and a half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:337
+#: sssd-krb5.5.xml:340
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:344
+#: sssd-krb5.5.xml:347
 msgid "krb5_renew_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:347
+#: sssd-krb5.5.xml:350
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:352
+#: sssd-krb5.5.xml:355
 msgid "If this option is not set or 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:362
+#: sssd-krb5.5.xml:365
 msgid "krb5_use_fast (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:365
+#: sssd-krb5.5.xml:368
 msgid ""
 "Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
 "authentication. The following options are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:370
+#: sssd-krb5.5.xml:373
 msgid ""
 "<emphasis>never</emphasis> use FAST, this is equivalent to not set this "
 "option at all."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:374
+#: sssd-krb5.5.xml:377
 msgid ""
 "<emphasis>try</emphasis> to use FAST, if the server does not support fast "
 "continue without."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:378
+#: sssd-krb5.5.xml:381
 msgid ""
 "<emphasis>demand</emphasis> to use FAST, fail if the server does not require "
 "fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:382
+#: sssd-krb5.5.xml:385
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:385
+#: sssd-krb5.5.xml:388
 msgid "Please note that a keytab is required to use fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:388
+#: sssd-krb5.5.xml:391
 msgid ""
 "Please note also that sssd supports fast only with MIT Kerberos version 1.8 "
 "and above. If sssd used used with an older version using this option is a "
@@ -4459,7 +4505,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:407
+#: sssd-krb5.5.xml:410
 msgid ""
 "The following example assumes that SSSD is correctly configured and FOO is "
 "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
@@ -4468,7 +4514,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-krb5.5.xml:415
+#: sssd-krb5.5.xml:418
 #, no-wrap
 msgid ""
 "    [domain/FOO]\n"
@@ -4478,7 +4524,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:426
+#: sssd-krb5.5.xml:429
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
diff --git a/src/man/po/mr.po b/src/man/po/mr.po
index 0add885f..d849ec69 100644
--- a/src/man/po/mr.po
+++ b/src/man/po/mr.po
@@ -2,12 +2,13 @@
 # Copyright (C) YEAR Red Hat
 # This file is distributed under the same license as the sssd-docs package.
 #
+# Translators:
 msgid ""
 msgstr ""
 "Project-Id-Version: SSSD\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2011-08-29 10:42-0300\n"
-"PO-Revision-Date: 2011-08-05 11:41+0000\n"
+"POT-Creation-Date: 2011-10-18 13:34-0300\n"
+"PO-Revision-Date: 2010-12-23 15:35+0000\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Marathi (http://www.transifex.net/projects/p/fedora/team/"
 "mr/)\n"
@@ -53,7 +54,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:41
+#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:44
 #: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21
 #: sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_useradd.8.xml:30
 #: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30
@@ -69,7 +70,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:39 pam_sss.8.xml:48 sssd.8.xml:42 sss_obfuscate.8.xml:58
+#: sss_groupmod.8.xml:39 pam_sss.8.xml:51 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
 msgid "OPTIONS"
@@ -105,10 +106,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1106 sssd-ldap.5.xml:1432
-#: pam_sss.8.xml:128 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
+#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1130 sssd-ldap.5.xml:1432
+#: pam_sss.8.xml:139 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
 #: sssd-ipa.5.xml:248 sssd.8.xml:166 sss_obfuscate.8.xml:103
-#: sss_useradd.8.xml:167 sssd-krb5.5.xml:424 sss_groupadd.8.xml:58
+#: sss_useradd.8.xml:167 sssd-krb5.5.xml:427 sss_groupadd.8.xml:58
 #: sss_userdel.8.xml:93 sss_groupdel.8.xml:46 sss_groupshow.8.xml:58
 #: sss_usermod.8.xml:138
 msgid "SEE ALSO"
@@ -214,7 +215,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:70 sssd.conf.5.xml:952
+#: sssd.conf.5.xml:70 sssd.conf.5.xml:976
 msgid "Section parameters"
 msgstr ""
 
@@ -247,19 +248,19 @@ msgid "Supported services: nss, pam"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:93 sssd.conf.5.xml:234
+#: sssd.conf.5.xml:93 sssd.conf.5.xml:254
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:96 sssd.conf.5.xml:237
+#: sssd.conf.5.xml:96 sssd.conf.5.xml:257
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:101 sssd.conf.5.xml:242
+#: sssd.conf.5.xml:101 sssd.conf.5.xml:262
 msgid "Default: 3"
 msgstr ""
 
@@ -366,6 +367,32 @@ msgid ""
 "unavailable. On these platforms, polling will always be used."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:189
+msgid "krb5_rcache_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:192
+msgid ""
+"Directory on the filesystem where SSSD should store Kerberos replay cache "
+"files."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:196
+msgid ""
+"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
+"SSSD to let libkrb5 decide the appropriate location for the replay cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:202
+msgid ""
+"Default: Distribution-specific and specified at build-time. "
+"(__LIBKRB5_DEFAULTS__ if not configured)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:63
 msgid ""
@@ -378,12 +405,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:195
+#: sssd.conf.5.xml:215
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:197
+#: sssd.conf.5.xml:217
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -392,55 +419,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:204
+#: sssd.conf.5.xml:224
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:206
+#: sssd.conf.5.xml:226
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:210
+#: sssd.conf.5.xml:230
 msgid "debug_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:213
+#: sssd.conf.5.xml:233
 msgid ""
 "Sets the debug level for the service. The value can be in range from 0 (only "
 "critical messages) to 10 (very verbose)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:218 sssd.conf.5.xml:312
+#: sssd.conf.5.xml:238 sssd.conf.5.xml:332
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:223 sssd.8.xml:58
+#: sssd.conf.5.xml:243 sssd.8.xml:58
 msgid "debug_timestamps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:226 sssd.8.xml:61
+#: sssd.conf.5.xml:246 sssd.8.xml:61
 msgid "Add a timestamp to the debug messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:229 sssd.conf.5.xml:353 sssd-ldap.5.xml:1058
+#: sssd.conf.5.xml:249 sssd.conf.5.xml:373 sssd-ldap.5.xml:1058
 #: sssd-ldap.5.xml:1163 sssd-ipa.5.xml:155
 msgid "Default: true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:247
+#: sssd.conf.5.xml:267
 msgid "command (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:250
+#: sssd.conf.5.xml:270
 msgid ""
 "By default, the executable representing this service is called <command>sssd_"
 "${service_name}</command>.  This directive allows to change the executable "
@@ -449,45 +476,45 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:258
+#: sssd.conf.5.xml:278
 msgid "Default: <command>sssd_${service_name}</command>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:266
+#: sssd.conf.5.xml:286
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:268
+#: sssd.conf.5.xml:288
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:273
+#: sssd.conf.5.xml:293
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:276
+#: sssd.conf.5.xml:296
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:280
+#: sssd.conf.5.xml:300
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:285
+#: sssd.conf.5.xml:305
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:288
+#: sssd.conf.5.xml:308
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -495,7 +522,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:294
+#: sssd.conf.5.xml:314
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -505,7 +532,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304
+#: sssd.conf.5.xml:324
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -514,12 +541,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:317
+#: sssd.conf.5.xml:337
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:320
+#: sssd.conf.5.xml:340
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -527,17 +554,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:326 sssd-krb5.5.xml:223
+#: sssd.conf.5.xml:346 sssd-krb5.5.xml:223
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:331
+#: sssd.conf.5.xml:351
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:334
+#: sssd.conf.5.xml:354
 msgid ""
 "Exclude certain users from being fetched from the sss NSS database. This is "
 "particularly useful for system accounts. This option can also be set per-"
@@ -546,78 +573,78 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:341
+#: sssd.conf.5.xml:361
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:346
+#: sssd.conf.5.xml:366
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:369
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:358
+#: sssd.conf.5.xml:378
 msgid "override_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:367 sssd-krb5.5.xml:166
+#: sssd.conf.5.xml:387 sssd-krb5.5.xml:166
 msgid "%u"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:368 sssd-krb5.5.xml:167
+#: sssd.conf.5.xml:388 sssd-krb5.5.xml:167
 msgid "login name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:371 sssd-krb5.5.xml:170
+#: sssd.conf.5.xml:391 sssd-krb5.5.xml:170
 msgid "%U"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:392
 msgid "UID number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:375 sssd-krb5.5.xml:188
+#: sssd.conf.5.xml:395 sssd-krb5.5.xml:188
 msgid "%d"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:376
+#: sssd.conf.5.xml:396
 msgid "domain name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:379
+#: sssd.conf.5.xml:399
 msgid "%f"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:380
+#: sssd.conf.5.xml:400
 msgid "fully qualified user name (user@domain)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:383 sssd-krb5.5.xml:200
+#: sssd.conf.5.xml:403 sssd-krb5.5.xml:200
 msgid "%%"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:384 sssd-krb5.5.xml:201
+#: sssd.conf.5.xml:404 sssd-krb5.5.xml:201
 msgid "a literal '%'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:361
+#: sssd.conf.5.xml:381
 msgid ""
 "Override the user's home directory. You can either provide an absolute value "
 "or a template. In the template, the following sequences are substituted: "
@@ -625,138 +652,138 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:390
+#: sssd.conf.5.xml:410
 msgid "This option can also be set per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:395
+#: sssd.conf.5.xml:415
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:398
+#: sssd.conf.5.xml:418
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:401
+#: sssd.conf.5.xml:421
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:405
+#: sssd.conf.5.xml:425
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:410
+#: sssd.conf.5.xml:430
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:415
+#: sssd.conf.5.xml:435
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:418
+#: sssd.conf.5.xml:438
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:422
+#: sssd.conf.5.xml:442
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:427
+#: sssd.conf.5.xml:447
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:430
+#: sssd.conf.5.xml:450
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:435
+#: sssd.conf.5.xml:455
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:438
+#: sssd.conf.5.xml:458
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:442
+#: sssd.conf.5.xml:462
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:469
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:451
+#: sssd.conf.5.xml:471
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:456
+#: sssd.conf.5.xml:476
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:459
+#: sssd.conf.5.xml:479
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:464 sssd.conf.5.xml:477
+#: sssd.conf.5.xml:484 sssd.conf.5.xml:497
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:490
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:473
+#: sssd.conf.5.xml:493
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:483
+#: sssd.conf.5.xml:503
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:506
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:491
+#: sssd.conf.5.xml:511
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -764,59 +791,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:497 sssd.conf.5.xml:550 sssd.conf.5.xml:882
+#: sssd.conf.5.xml:517 sssd.conf.5.xml:570 sssd.conf.5.xml:906
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:523
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:506
+#: sssd.conf.5.xml:526
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:511
+#: sssd.conf.5.xml:531
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:514
+#: sssd.conf.5.xml:534
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:517
+#: sssd.conf.5.xml:537
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:541
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:524
+#: sssd.conf.5.xml:544
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:528
+#: sssd.conf.5.xml:548
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:533
+#: sssd.conf.5.xml:553
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:536
+#: sssd.conf.5.xml:556
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -824,7 +851,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:542
+#: sssd.conf.5.xml:562
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -833,17 +860,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:556
+#: sssd.conf.5.xml:576
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:559
+#: sssd.conf.5.xml:579
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:562
+#: sssd.conf.5.xml:582
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -851,29 +878,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:588
 msgid "Default: 7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:577
+#: sssd.conf.5.xml:597
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:584
+#: sssd.conf.5.xml:604
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:587
+#: sssd.conf.5.xml:607
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:592
+#: sssd.conf.5.xml:612
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -882,56 +909,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:599
+#: sssd.conf.5.xml:619
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:625
 msgid "timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:608
+#: sssd.conf.5.xml:628
 msgid ""
 "Timeout in seconds between heartbeats for this domain.  This is used to "
 "ensure that the backend process is alive and capable of answering requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:633
 msgid "Default: 10"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:639
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:642
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:626
+#: sssd.conf.5.xml:646
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:629
+#: sssd.conf.5.xml:649
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:632 sssd.conf.5.xml:680 sssd.conf.5.xml:734
+#: sssd.conf.5.xml:652 sssd.conf.5.xml:704 sssd.conf.5.xml:758
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:635
+#: sssd.conf.5.xml:655
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -941,14 +968,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:645
+#: sssd.conf.5.xml:665
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:650
+#: sssd.conf.5.xml:670
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -957,39 +984,44 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:661
+#: sssd.conf.5.xml:681
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:664
+#: sssd.conf.5.xml:684
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:688
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:693
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676
+#: sssd.conf.5.xml:696
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:700
+msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:685
+#: sssd.conf.5.xml:709
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:688
+#: sssd.conf.5.xml:712
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -998,47 +1030,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:695
+#: sssd.conf.5.xml:719
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:725
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:728
 msgid "The Data Provider identity backend to use for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:708
+#: sssd.conf.5.xml:732
 msgid "Supported backends:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:711
+#: sssd.conf.5.xml:735
 msgid "proxy: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:714
+#: sssd.conf.5.xml:738
 msgid "local: SSSD internal local provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:717
+#: sssd.conf.5.xml:741
 msgid "ldap: LDAP provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:747
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:750
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -1047,19 +1079,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:739
+#: sssd.conf.5.xml:763
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:766
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:746
+#: sssd.conf.5.xml:770
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1067,7 +1099,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:777
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1075,30 +1107,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:784
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:787
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:766
+#: sssd.conf.5.xml:790
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:796
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:775
+#: sssd.conf.5.xml:799
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -1106,17 +1138,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:781
+#: sssd.conf.5.xml:805
 msgid "<quote>permit</quote> always allow access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:784
+#: sssd.conf.5.xml:808
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:811
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -1125,24 +1157,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:818
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:823
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:826
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:831
 msgid ""
 "<quote>ipa</quote> to change a password stored in an IPA server.  See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -1150,7 +1182,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:815
+#: sssd.conf.5.xml:839
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -1158,7 +1190,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:823
+#: sssd.conf.5.xml:847
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1166,72 +1198,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:831
+#: sssd.conf.5.xml:855
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:835
+#: sssd.conf.5.xml:859
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838
+#: sssd.conf.5.xml:862
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:845
+#: sssd.conf.5.xml:869
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:848
+#: sssd.conf.5.xml:872
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:876
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:855
+#: sssd.conf.5.xml:879
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:858
+#: sssd.conf.5.xml:882
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:861
+#: sssd.conf.5.xml:885
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:864
+#: sssd.conf.5.xml:888
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:867
+#: sssd.conf.5.xml:891
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:873
+#: sssd.conf.5.xml:897
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:876
+#: sssd.conf.5.xml:900
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -1239,34 +1271,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:912
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:891
+#: sssd.conf.5.xml:915
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:919
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:901
+#: sssd.conf.5.xml:925
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:904
+#: sssd.conf.5.xml:928
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:579
+#: sssd.conf.5.xml:599
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -1274,29 +1306,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:940
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:943
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:922
+#: sssd.conf.5.xml:946
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:954
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:933
+#: sssd.conf.5.xml:957
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -1304,19 +1336,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:912
+#: sssd.conf.5.xml:936
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:945
+#: sssd.conf.5.xml:969
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:971
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -1324,73 +1356,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:954
+#: sssd.conf.5.xml:978
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:981
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:985
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:966
+#: sssd.conf.5.xml:990
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:969
+#: sssd.conf.5.xml:993
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974
+#: sssd.conf.5.xml:998
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1003
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1006
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986 sssd.conf.5.xml:998
+#: sssd.conf.5.xml:1010 sssd.conf.5.xml:1022
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:991
+#: sssd.conf.5.xml:1015
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:994
+#: sssd.conf.5.xml:1018
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1003
+#: sssd.conf.5.xml:1027
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1030
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -1398,17 +1430,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014
+#: sssd.conf.5.xml:1038
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1043
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1022
+#: sssd.conf.5.xml:1046
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -1417,17 +1449,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:1056
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1037
+#: sssd.conf.5.xml:1061
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1040
+#: sssd.conf.5.xml:1064
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -1435,17 +1467,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1047
+#: sssd.conf.5.xml:1071
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1076
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1055
+#: sssd.conf.5.xml:1079
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -1453,18 +1485,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1061
+#: sssd.conf.5.xml:1085
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1071 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
-#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:405
+#: sssd.conf.5.xml:1095 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
+#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:408
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:1077
+#: sssd.conf.5.xml:1101
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -1494,7 +1526,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1073
+#: sssd.conf.5.xml:1097
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -1503,7 +1535,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1108
+#: sssd.conf.5.xml:1132
 msgid ""
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
@@ -1603,10 +1635,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:88
 msgid ""
-"Specifies the list of URIs of the LDAP servers to which SSSD should connect "
-"in the order of preference to change the password of a user. Refer to the "
-"<quote>FAILOVER</quote> section for more information on failover and server "
-"redundancy."
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference to change the password of a user. "
+"Refer to the <quote>FAILOVER</quote> section for more information on "
+"failover and server redundancy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -2086,7 +2118,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:519 sssd-ldap.5.xml:990 sssd-ipa.5.xml:115 sssd.8.xml:64
-#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:266
+#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:269
 msgid "Default: false"
 msgstr ""
 
@@ -2527,7 +2559,7 @@ msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:356
+#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:359
 msgid "Default: not set"
 msgstr ""
 
@@ -2668,12 +2700,13 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:1080 sssd-krb5.5.xml:77
 msgid ""
-"Specifies the list of IP addresses or hostnames of the Kerberos servers to "
-"which SSSD should connect in the order of preference. For more information "
-"on failover and server redundancy, see the <quote>FAILOVER</quote> section. "
-"An optional port number (preceded by a colon) may be appended to the "
-"addresses or hostnames.  If empty, service discovery is enabled - for more "
-"information, refer to the <quote>SERVICE DISCOVERY</quote> section."
+"Specifies the comma-separated list of IP addresses or hostnames of the "
+"Kerberos servers to which SSSD should connect in the order of preference. "
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
+"colon) may be appended to the addresses or hostnames.  If empty, service "
+"discovery is enabled - for more information, refer to the <quote>SERVICE "
+"DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -3058,7 +3091,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ldap.5.xml:1407 sssd-simple.5.xml:134 sssd-ipa.5.xml:238
-#: sssd-krb5.5.xml:414
+#: sssd-krb5.5.xml:417
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -3105,7 +3138,8 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
 #: pam_sss.8.xml:24
 msgid ""
-"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>forward_pass</"
+"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
@@ -3113,7 +3147,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:42
+#: pam_sss.8.xml:45
 msgid ""
 "<command>pam_sss.so</command> is the PAM interface to the System Security "
 "Services daemon (SSSD). Errors and results are logged through <command>syslog"
@@ -3121,24 +3155,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:52
+#: pam_sss.8.xml:55
+msgid "<option>quiet</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:58
+msgid "Suppress log messages for unknown users."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:63
 msgid "<option>forward_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:55
+#: pam_sss.8.xml:66
 msgid ""
 "If <option>forward_pass</option> is set the entered password is put on the "
 "stack for other PAM modules to use."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:62
+#: pam_sss.8.xml:73
 msgid "<option>use_first_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:65
+#: pam_sss.8.xml:76
 msgid ""
 "The argument use_first_pass forces the module to use a previous stacked "
 "modules password and will never prompt the user - if no password is "
@@ -3146,31 +3190,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:73
+#: pam_sss.8.xml:84
 msgid "<option>use_authtok</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:76
+#: pam_sss.8.xml:87
 msgid ""
 "When password changing enforce the module to set the new password to the one "
 "provided by a previously stacked password module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:83
+#: pam_sss.8.xml:94
 msgid "<option>retry=N</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:86
+#: pam_sss.8.xml:97
 msgid ""
 "If specified the user is asked another N times for a password if "
 "authentication fails. Default is 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:88
+#: pam_sss.8.xml:99
 msgid ""
 "Please note that this option might not work as expected if the application "
 "calling PAM handles the user dialog on its own. A typical example is "
@@ -3178,24 +3222,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:99
+#: pam_sss.8.xml:110
 msgid "MODULE TYPES PROVIDED"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:100
+#: pam_sss.8.xml:111
 msgid ""
 "All module types (<option>account</option>, <option>auth</option>, "
 "<option>password</option> and <option>session</option>) are provided."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:106
+#: pam_sss.8.xml:117
 msgid "FILES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:107
+#: pam_sss.8.xml:118
 msgid ""
 "If a password reset by root fails, because the corresponding SSSD provider "
 "does not support password resets, an individual message can be displayed. "
@@ -3203,7 +3247,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:112
+#: pam_sss.8.xml:123
 msgid ""
 "The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
 "filename> where LOC stands for a locale string returned by <citerefentry> "
@@ -3215,7 +3259,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:122
+#: pam_sss.8.xml:133
 msgid ""
 "These files are searched in the directory <filename>/etc/sssd/customize/"
 "DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
@@ -3223,7 +3267,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:130
+#: pam_sss.8.xml:141
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>8</"
 "manvolnum> </citerefentry>"
@@ -3483,11 +3527,11 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ipa.5.xml:83
 msgid ""
-"The list of IP addresses or hostnames of the IPA servers to which SSSD "
-"should connect in the order of preference. For more information on failover "
-"and server redundancy, see the <quote>FAILOVER</quote> section.  This is "
-"optional if autodiscovery is enabled.  For more information on service "
-"discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
+"The comma-separated list of IP addresses or hostnames of the IPA servers to "
+"which SSSD should connect in the order of preference. For more information "
+"on failover and server redundancy, see the <quote>FAILOVER</quote> section.  "
+"This is optional if autodiscovery is enabled.  For more information on "
+"service discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
@@ -4303,48 +4347,50 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:262
 msgid ""
-"Please note that this feature currently only available on a Linux platform."
+"Please note that this feature currently only available on a Linux platform. "
+"Passwords stored in this way are kept in plaintext in the kernel keyring and "
+"are potentially accessible by the root user (with difficulty)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:272
+#: sssd-krb5.5.xml:275
 msgid "krb5_renewable_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:275
+#: sssd-krb5.5.xml:278
 msgid ""
 "Request a renewable ticket with a total lifetime given by an integer "
 "immediately followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:280 sssd-krb5.5.xml:316
+#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
 msgid "<emphasis>s</emphasis> seconds"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
+#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
 msgid "<emphasis>m</emphasis> minutes"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
+#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
 msgid "<emphasis>h</emphasis> hours"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
+#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
 msgid "<emphasis>d</emphasis> days."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
+#: sssd-krb5.5.xml:295 sssd-krb5.5.xml:331
 msgid "If there is no delimiter <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:296
+#: sssd-krb5.5.xml:299
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "renewable lifetime to one and a half hours please use '90m' instead of "
@@ -4352,97 +4398,97 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:302
+#: sssd-krb5.5.xml:305
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:308
+#: sssd-krb5.5.xml:311
 msgid "krb5_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:311
+#: sssd-krb5.5.xml:314
 msgid ""
 "Request ticket with a with a lifetime given by an integer immediately "
 "followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:332
+#: sssd-krb5.5.xml:335
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "lifetime to one and a half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:337
+#: sssd-krb5.5.xml:340
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:344
+#: sssd-krb5.5.xml:347
 msgid "krb5_renew_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:347
+#: sssd-krb5.5.xml:350
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:352
+#: sssd-krb5.5.xml:355
 msgid "If this option is not set or 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:362
+#: sssd-krb5.5.xml:365
 msgid "krb5_use_fast (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:365
+#: sssd-krb5.5.xml:368
 msgid ""
 "Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
 "authentication. The following options are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:370
+#: sssd-krb5.5.xml:373
 msgid ""
 "<emphasis>never</emphasis> use FAST, this is equivalent to not set this "
 "option at all."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:374
+#: sssd-krb5.5.xml:377
 msgid ""
 "<emphasis>try</emphasis> to use FAST, if the server does not support fast "
 "continue without."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:378
+#: sssd-krb5.5.xml:381
 msgid ""
 "<emphasis>demand</emphasis> to use FAST, fail if the server does not require "
 "fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:382
+#: sssd-krb5.5.xml:385
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:385
+#: sssd-krb5.5.xml:388
 msgid "Please note that a keytab is required to use fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:388
+#: sssd-krb5.5.xml:391
 msgid ""
 "Please note also that sssd supports fast only with MIT Kerberos version 1.8 "
 "and above. If sssd used used with an older version using this option is a "
@@ -4460,7 +4506,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:407
+#: sssd-krb5.5.xml:410
 msgid ""
 "The following example assumes that SSSD is correctly configured and FOO is "
 "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
@@ -4469,7 +4515,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-krb5.5.xml:415
+#: sssd-krb5.5.xml:418
 #, no-wrap
 msgid ""
 "    [domain/FOO]\n"
@@ -4479,7 +4525,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:426
+#: sssd-krb5.5.xml:429
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
diff --git a/src/man/po/nb.po b/src/man/po/nb.po
index 26b60ac0..4e8a065f 100644
--- a/src/man/po/nb.po
+++ b/src/man/po/nb.po
@@ -6,7 +6,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: SSSD\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2011-08-29 10:42-0300\n"
+"POT-Creation-Date: 2011-10-18 13:34-0300\n"
 "PO-Revision-Date: 2011-08-05 11:38+0000\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Norwegian Bokmål <i18n-nb@lister.ping.uio.no>\n"
@@ -52,7 +52,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:41
+#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:44
 #: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21
 #: sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_useradd.8.xml:30
 #: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30
@@ -68,7 +68,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:39 pam_sss.8.xml:48 sssd.8.xml:42 sss_obfuscate.8.xml:58
+#: sss_groupmod.8.xml:39 pam_sss.8.xml:51 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
 msgid "OPTIONS"
@@ -104,10 +104,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1106 sssd-ldap.5.xml:1432
-#: pam_sss.8.xml:128 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
+#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1130 sssd-ldap.5.xml:1432
+#: pam_sss.8.xml:139 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
 #: sssd-ipa.5.xml:248 sssd.8.xml:166 sss_obfuscate.8.xml:103
-#: sss_useradd.8.xml:167 sssd-krb5.5.xml:424 sss_groupadd.8.xml:58
+#: sss_useradd.8.xml:167 sssd-krb5.5.xml:427 sss_groupadd.8.xml:58
 #: sss_userdel.8.xml:93 sss_groupdel.8.xml:46 sss_groupshow.8.xml:58
 #: sss_usermod.8.xml:138
 msgid "SEE ALSO"
@@ -213,7 +213,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:70 sssd.conf.5.xml:952
+#: sssd.conf.5.xml:70 sssd.conf.5.xml:976
 msgid "Section parameters"
 msgstr ""
 
@@ -246,19 +246,19 @@ msgid "Supported services: nss, pam"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:93 sssd.conf.5.xml:234
+#: sssd.conf.5.xml:93 sssd.conf.5.xml:254
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:96 sssd.conf.5.xml:237
+#: sssd.conf.5.xml:96 sssd.conf.5.xml:257
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:101 sssd.conf.5.xml:242
+#: sssd.conf.5.xml:101 sssd.conf.5.xml:262
 msgid "Default: 3"
 msgstr ""
 
@@ -365,6 +365,32 @@ msgid ""
 "unavailable. On these platforms, polling will always be used."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:189
+msgid "krb5_rcache_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:192
+msgid ""
+"Directory on the filesystem where SSSD should store Kerberos replay cache "
+"files."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:196
+msgid ""
+"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
+"SSSD to let libkrb5 decide the appropriate location for the replay cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:202
+msgid ""
+"Default: Distribution-specific and specified at build-time. "
+"(__LIBKRB5_DEFAULTS__ if not configured)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:63
 msgid ""
@@ -377,12 +403,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:195
+#: sssd.conf.5.xml:215
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:197
+#: sssd.conf.5.xml:217
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -391,55 +417,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:204
+#: sssd.conf.5.xml:224
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:206
+#: sssd.conf.5.xml:226
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:210
+#: sssd.conf.5.xml:230
 msgid "debug_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:213
+#: sssd.conf.5.xml:233
 msgid ""
 "Sets the debug level for the service. The value can be in range from 0 (only "
 "critical messages) to 10 (very verbose)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:218 sssd.conf.5.xml:312
+#: sssd.conf.5.xml:238 sssd.conf.5.xml:332
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:223 sssd.8.xml:58
+#: sssd.conf.5.xml:243 sssd.8.xml:58
 msgid "debug_timestamps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:226 sssd.8.xml:61
+#: sssd.conf.5.xml:246 sssd.8.xml:61
 msgid "Add a timestamp to the debug messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:229 sssd.conf.5.xml:353 sssd-ldap.5.xml:1058
+#: sssd.conf.5.xml:249 sssd.conf.5.xml:373 sssd-ldap.5.xml:1058
 #: sssd-ldap.5.xml:1163 sssd-ipa.5.xml:155
 msgid "Default: true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:247
+#: sssd.conf.5.xml:267
 msgid "command (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:250
+#: sssd.conf.5.xml:270
 msgid ""
 "By default, the executable representing this service is called <command>sssd_"
 "${service_name}</command>.  This directive allows to change the executable "
@@ -448,45 +474,45 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:258
+#: sssd.conf.5.xml:278
 msgid "Default: <command>sssd_${service_name}</command>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:266
+#: sssd.conf.5.xml:286
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:268
+#: sssd.conf.5.xml:288
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:273
+#: sssd.conf.5.xml:293
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:276
+#: sssd.conf.5.xml:296
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:280
+#: sssd.conf.5.xml:300
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:285
+#: sssd.conf.5.xml:305
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:288
+#: sssd.conf.5.xml:308
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -494,7 +520,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:294
+#: sssd.conf.5.xml:314
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -504,7 +530,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304
+#: sssd.conf.5.xml:324
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -513,12 +539,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:317
+#: sssd.conf.5.xml:337
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:320
+#: sssd.conf.5.xml:340
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -526,17 +552,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:326 sssd-krb5.5.xml:223
+#: sssd.conf.5.xml:346 sssd-krb5.5.xml:223
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:331
+#: sssd.conf.5.xml:351
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:334
+#: sssd.conf.5.xml:354
 msgid ""
 "Exclude certain users from being fetched from the sss NSS database. This is "
 "particularly useful for system accounts. This option can also be set per-"
@@ -545,78 +571,78 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:341
+#: sssd.conf.5.xml:361
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:346
+#: sssd.conf.5.xml:366
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:369
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:358
+#: sssd.conf.5.xml:378
 msgid "override_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:367 sssd-krb5.5.xml:166
+#: sssd.conf.5.xml:387 sssd-krb5.5.xml:166
 msgid "%u"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:368 sssd-krb5.5.xml:167
+#: sssd.conf.5.xml:388 sssd-krb5.5.xml:167
 msgid "login name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:371 sssd-krb5.5.xml:170
+#: sssd.conf.5.xml:391 sssd-krb5.5.xml:170
 msgid "%U"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:392
 msgid "UID number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:375 sssd-krb5.5.xml:188
+#: sssd.conf.5.xml:395 sssd-krb5.5.xml:188
 msgid "%d"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:376
+#: sssd.conf.5.xml:396
 msgid "domain name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:379
+#: sssd.conf.5.xml:399
 msgid "%f"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:380
+#: sssd.conf.5.xml:400
 msgid "fully qualified user name (user@domain)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:383 sssd-krb5.5.xml:200
+#: sssd.conf.5.xml:403 sssd-krb5.5.xml:200
 msgid "%%"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:384 sssd-krb5.5.xml:201
+#: sssd.conf.5.xml:404 sssd-krb5.5.xml:201
 msgid "a literal '%'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:361
+#: sssd.conf.5.xml:381
 msgid ""
 "Override the user's home directory. You can either provide an absolute value "
 "or a template. In the template, the following sequences are substituted: "
@@ -624,138 +650,138 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:390
+#: sssd.conf.5.xml:410
 msgid "This option can also be set per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:395
+#: sssd.conf.5.xml:415
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:398
+#: sssd.conf.5.xml:418
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:401
+#: sssd.conf.5.xml:421
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:405
+#: sssd.conf.5.xml:425
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:410
+#: sssd.conf.5.xml:430
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:415
+#: sssd.conf.5.xml:435
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:418
+#: sssd.conf.5.xml:438
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:422
+#: sssd.conf.5.xml:442
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:427
+#: sssd.conf.5.xml:447
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:430
+#: sssd.conf.5.xml:450
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:435
+#: sssd.conf.5.xml:455
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:438
+#: sssd.conf.5.xml:458
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:442
+#: sssd.conf.5.xml:462
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:469
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:451
+#: sssd.conf.5.xml:471
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:456
+#: sssd.conf.5.xml:476
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:459
+#: sssd.conf.5.xml:479
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:464 sssd.conf.5.xml:477
+#: sssd.conf.5.xml:484 sssd.conf.5.xml:497
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:490
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:473
+#: sssd.conf.5.xml:493
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:483
+#: sssd.conf.5.xml:503
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:506
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:491
+#: sssd.conf.5.xml:511
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -763,59 +789,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:497 sssd.conf.5.xml:550 sssd.conf.5.xml:882
+#: sssd.conf.5.xml:517 sssd.conf.5.xml:570 sssd.conf.5.xml:906
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:523
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:506
+#: sssd.conf.5.xml:526
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:511
+#: sssd.conf.5.xml:531
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:514
+#: sssd.conf.5.xml:534
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:517
+#: sssd.conf.5.xml:537
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:541
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:524
+#: sssd.conf.5.xml:544
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:528
+#: sssd.conf.5.xml:548
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:533
+#: sssd.conf.5.xml:553
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:536
+#: sssd.conf.5.xml:556
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -823,7 +849,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:542
+#: sssd.conf.5.xml:562
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -832,17 +858,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:556
+#: sssd.conf.5.xml:576
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:559
+#: sssd.conf.5.xml:579
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:562
+#: sssd.conf.5.xml:582
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -850,29 +876,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:588
 msgid "Default: 7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:577
+#: sssd.conf.5.xml:597
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:584
+#: sssd.conf.5.xml:604
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:587
+#: sssd.conf.5.xml:607
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:592
+#: sssd.conf.5.xml:612
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -881,56 +907,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:599
+#: sssd.conf.5.xml:619
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:625
 msgid "timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:608
+#: sssd.conf.5.xml:628
 msgid ""
 "Timeout in seconds between heartbeats for this domain.  This is used to "
 "ensure that the backend process is alive and capable of answering requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:633
 msgid "Default: 10"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:639
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:642
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:626
+#: sssd.conf.5.xml:646
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:629
+#: sssd.conf.5.xml:649
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:632 sssd.conf.5.xml:680 sssd.conf.5.xml:734
+#: sssd.conf.5.xml:652 sssd.conf.5.xml:704 sssd.conf.5.xml:758
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:635
+#: sssd.conf.5.xml:655
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -940,14 +966,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:645
+#: sssd.conf.5.xml:665
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:650
+#: sssd.conf.5.xml:670
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -956,39 +982,44 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:661
+#: sssd.conf.5.xml:681
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:664
+#: sssd.conf.5.xml:684
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:688
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:693
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676
+#: sssd.conf.5.xml:696
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:700
+msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:685
+#: sssd.conf.5.xml:709
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:688
+#: sssd.conf.5.xml:712
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -997,47 +1028,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:695
+#: sssd.conf.5.xml:719
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:725
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:728
 msgid "The Data Provider identity backend to use for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:708
+#: sssd.conf.5.xml:732
 msgid "Supported backends:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:711
+#: sssd.conf.5.xml:735
 msgid "proxy: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:714
+#: sssd.conf.5.xml:738
 msgid "local: SSSD internal local provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:717
+#: sssd.conf.5.xml:741
 msgid "ldap: LDAP provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:747
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:750
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -1046,19 +1077,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:739
+#: sssd.conf.5.xml:763
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:766
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:746
+#: sssd.conf.5.xml:770
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1066,7 +1097,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:777
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1074,30 +1105,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:784
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:787
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:766
+#: sssd.conf.5.xml:790
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:796
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:775
+#: sssd.conf.5.xml:799
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -1105,17 +1136,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:781
+#: sssd.conf.5.xml:805
 msgid "<quote>permit</quote> always allow access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:784
+#: sssd.conf.5.xml:808
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:811
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -1124,24 +1155,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:818
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:823
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:826
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:831
 msgid ""
 "<quote>ipa</quote> to change a password stored in an IPA server.  See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -1149,7 +1180,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:815
+#: sssd.conf.5.xml:839
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -1157,7 +1188,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:823
+#: sssd.conf.5.xml:847
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1165,72 +1196,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:831
+#: sssd.conf.5.xml:855
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:835
+#: sssd.conf.5.xml:859
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838
+#: sssd.conf.5.xml:862
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:845
+#: sssd.conf.5.xml:869
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:848
+#: sssd.conf.5.xml:872
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:876
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:855
+#: sssd.conf.5.xml:879
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:858
+#: sssd.conf.5.xml:882
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:861
+#: sssd.conf.5.xml:885
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:864
+#: sssd.conf.5.xml:888
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:867
+#: sssd.conf.5.xml:891
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:873
+#: sssd.conf.5.xml:897
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:876
+#: sssd.conf.5.xml:900
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -1238,34 +1269,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:912
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:891
+#: sssd.conf.5.xml:915
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:919
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:901
+#: sssd.conf.5.xml:925
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:904
+#: sssd.conf.5.xml:928
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:579
+#: sssd.conf.5.xml:599
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -1273,29 +1304,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:940
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:943
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:922
+#: sssd.conf.5.xml:946
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:954
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:933
+#: sssd.conf.5.xml:957
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -1303,19 +1334,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:912
+#: sssd.conf.5.xml:936
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:945
+#: sssd.conf.5.xml:969
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:971
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -1323,73 +1354,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:954
+#: sssd.conf.5.xml:978
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:981
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:985
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:966
+#: sssd.conf.5.xml:990
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:969
+#: sssd.conf.5.xml:993
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974
+#: sssd.conf.5.xml:998
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1003
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1006
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986 sssd.conf.5.xml:998
+#: sssd.conf.5.xml:1010 sssd.conf.5.xml:1022
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:991
+#: sssd.conf.5.xml:1015
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:994
+#: sssd.conf.5.xml:1018
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1003
+#: sssd.conf.5.xml:1027
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1030
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -1397,17 +1428,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014
+#: sssd.conf.5.xml:1038
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1043
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1022
+#: sssd.conf.5.xml:1046
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -1416,17 +1447,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:1056
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1037
+#: sssd.conf.5.xml:1061
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1040
+#: sssd.conf.5.xml:1064
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -1434,17 +1465,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1047
+#: sssd.conf.5.xml:1071
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1076
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1055
+#: sssd.conf.5.xml:1079
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -1452,18 +1483,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1061
+#: sssd.conf.5.xml:1085
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1071 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
-#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:405
+#: sssd.conf.5.xml:1095 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
+#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:408
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:1077
+#: sssd.conf.5.xml:1101
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -1493,7 +1524,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1073
+#: sssd.conf.5.xml:1097
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -1502,7 +1533,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1108
+#: sssd.conf.5.xml:1132
 msgid ""
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
@@ -1602,10 +1633,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:88
 msgid ""
-"Specifies the list of URIs of the LDAP servers to which SSSD should connect "
-"in the order of preference to change the password of a user. Refer to the "
-"<quote>FAILOVER</quote> section for more information on failover and server "
-"redundancy."
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference to change the password of a user. "
+"Refer to the <quote>FAILOVER</quote> section for more information on "
+"failover and server redundancy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -2085,7 +2116,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:519 sssd-ldap.5.xml:990 sssd-ipa.5.xml:115 sssd.8.xml:64
-#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:266
+#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:269
 msgid "Default: false"
 msgstr ""
 
@@ -2526,7 +2557,7 @@ msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:356
+#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:359
 msgid "Default: not set"
 msgstr ""
 
@@ -2667,12 +2698,13 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:1080 sssd-krb5.5.xml:77
 msgid ""
-"Specifies the list of IP addresses or hostnames of the Kerberos servers to "
-"which SSSD should connect in the order of preference. For more information "
-"on failover and server redundancy, see the <quote>FAILOVER</quote> section. "
-"An optional port number (preceded by a colon) may be appended to the "
-"addresses or hostnames.  If empty, service discovery is enabled - for more "
-"information, refer to the <quote>SERVICE DISCOVERY</quote> section."
+"Specifies the comma-separated list of IP addresses or hostnames of the "
+"Kerberos servers to which SSSD should connect in the order of preference. "
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
+"colon) may be appended to the addresses or hostnames.  If empty, service "
+"discovery is enabled - for more information, refer to the <quote>SERVICE "
+"DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -3057,7 +3089,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ldap.5.xml:1407 sssd-simple.5.xml:134 sssd-ipa.5.xml:238
-#: sssd-krb5.5.xml:414
+#: sssd-krb5.5.xml:417
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -3104,7 +3136,8 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
 #: pam_sss.8.xml:24
 msgid ""
-"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>forward_pass</"
+"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
@@ -3112,7 +3145,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:42
+#: pam_sss.8.xml:45
 msgid ""
 "<command>pam_sss.so</command> is the PAM interface to the System Security "
 "Services daemon (SSSD). Errors and results are logged through <command>syslog"
@@ -3120,24 +3153,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:52
+#: pam_sss.8.xml:55
+msgid "<option>quiet</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:58
+msgid "Suppress log messages for unknown users."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:63
 msgid "<option>forward_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:55
+#: pam_sss.8.xml:66
 msgid ""
 "If <option>forward_pass</option> is set the entered password is put on the "
 "stack for other PAM modules to use."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:62
+#: pam_sss.8.xml:73
 msgid "<option>use_first_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:65
+#: pam_sss.8.xml:76
 msgid ""
 "The argument use_first_pass forces the module to use a previous stacked "
 "modules password and will never prompt the user - if no password is "
@@ -3145,31 +3188,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:73
+#: pam_sss.8.xml:84
 msgid "<option>use_authtok</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:76
+#: pam_sss.8.xml:87
 msgid ""
 "When password changing enforce the module to set the new password to the one "
 "provided by a previously stacked password module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:83
+#: pam_sss.8.xml:94
 msgid "<option>retry=N</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:86
+#: pam_sss.8.xml:97
 msgid ""
 "If specified the user is asked another N times for a password if "
 "authentication fails. Default is 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:88
+#: pam_sss.8.xml:99
 msgid ""
 "Please note that this option might not work as expected if the application "
 "calling PAM handles the user dialog on its own. A typical example is "
@@ -3177,24 +3220,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:99
+#: pam_sss.8.xml:110
 msgid "MODULE TYPES PROVIDED"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:100
+#: pam_sss.8.xml:111
 msgid ""
 "All module types (<option>account</option>, <option>auth</option>, "
 "<option>password</option> and <option>session</option>) are provided."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:106
+#: pam_sss.8.xml:117
 msgid "FILES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:107
+#: pam_sss.8.xml:118
 msgid ""
 "If a password reset by root fails, because the corresponding SSSD provider "
 "does not support password resets, an individual message can be displayed. "
@@ -3202,7 +3245,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:112
+#: pam_sss.8.xml:123
 msgid ""
 "The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
 "filename> where LOC stands for a locale string returned by <citerefentry> "
@@ -3214,7 +3257,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:122
+#: pam_sss.8.xml:133
 msgid ""
 "These files are searched in the directory <filename>/etc/sssd/customize/"
 "DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
@@ -3222,7 +3265,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:130
+#: pam_sss.8.xml:141
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>8</"
 "manvolnum> </citerefentry>"
@@ -3482,11 +3525,11 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ipa.5.xml:83
 msgid ""
-"The list of IP addresses or hostnames of the IPA servers to which SSSD "
-"should connect in the order of preference. For more information on failover "
-"and server redundancy, see the <quote>FAILOVER</quote> section.  This is "
-"optional if autodiscovery is enabled.  For more information on service "
-"discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
+"The comma-separated list of IP addresses or hostnames of the IPA servers to "
+"which SSSD should connect in the order of preference. For more information "
+"on failover and server redundancy, see the <quote>FAILOVER</quote> section.  "
+"This is optional if autodiscovery is enabled.  For more information on "
+"service discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
@@ -4302,48 +4345,50 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:262
 msgid ""
-"Please note that this feature currently only available on a Linux platform."
+"Please note that this feature currently only available on a Linux platform. "
+"Passwords stored in this way are kept in plaintext in the kernel keyring and "
+"are potentially accessible by the root user (with difficulty)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:272
+#: sssd-krb5.5.xml:275
 msgid "krb5_renewable_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:275
+#: sssd-krb5.5.xml:278
 msgid ""
 "Request a renewable ticket with a total lifetime given by an integer "
 "immediately followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:280 sssd-krb5.5.xml:316
+#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
 msgid "<emphasis>s</emphasis> seconds"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
+#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
 msgid "<emphasis>m</emphasis> minutes"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
+#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
 msgid "<emphasis>h</emphasis> hours"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
+#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
 msgid "<emphasis>d</emphasis> days."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
+#: sssd-krb5.5.xml:295 sssd-krb5.5.xml:331
 msgid "If there is no delimiter <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:296
+#: sssd-krb5.5.xml:299
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "renewable lifetime to one and a half hours please use '90m' instead of "
@@ -4351,97 +4396,97 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:302
+#: sssd-krb5.5.xml:305
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:308
+#: sssd-krb5.5.xml:311
 msgid "krb5_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:311
+#: sssd-krb5.5.xml:314
 msgid ""
 "Request ticket with a with a lifetime given by an integer immediately "
 "followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:332
+#: sssd-krb5.5.xml:335
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "lifetime to one and a half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:337
+#: sssd-krb5.5.xml:340
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:344
+#: sssd-krb5.5.xml:347
 msgid "krb5_renew_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:347
+#: sssd-krb5.5.xml:350
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:352
+#: sssd-krb5.5.xml:355
 msgid "If this option is not set or 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:362
+#: sssd-krb5.5.xml:365
 msgid "krb5_use_fast (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:365
+#: sssd-krb5.5.xml:368
 msgid ""
 "Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
 "authentication. The following options are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:370
+#: sssd-krb5.5.xml:373
 msgid ""
 "<emphasis>never</emphasis> use FAST, this is equivalent to not set this "
 "option at all."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:374
+#: sssd-krb5.5.xml:377
 msgid ""
 "<emphasis>try</emphasis> to use FAST, if the server does not support fast "
 "continue without."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:378
+#: sssd-krb5.5.xml:381
 msgid ""
 "<emphasis>demand</emphasis> to use FAST, fail if the server does not require "
 "fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:382
+#: sssd-krb5.5.xml:385
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:385
+#: sssd-krb5.5.xml:388
 msgid "Please note that a keytab is required to use fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:388
+#: sssd-krb5.5.xml:391
 msgid ""
 "Please note also that sssd supports fast only with MIT Kerberos version 1.8 "
 "and above. If sssd used used with an older version using this option is a "
@@ -4459,7 +4504,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:407
+#: sssd-krb5.5.xml:410
 msgid ""
 "The following example assumes that SSSD is correctly configured and FOO is "
 "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
@@ -4468,7 +4513,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-krb5.5.xml:415
+#: sssd-krb5.5.xml:418
 #, no-wrap
 msgid ""
 "    [domain/FOO]\n"
@@ -4478,7 +4523,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:426
+#: sssd-krb5.5.xml:429
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
diff --git a/src/man/po/nds.po b/src/man/po/nds.po
index a888ca7c..de462e76 100644
--- a/src/man/po/nds.po
+++ b/src/man/po/nds.po
@@ -2,12 +2,13 @@
 # Copyright (C) YEAR Red Hat
 # This file is distributed under the same license as the sssd-docs package.
 #
+# Translators:
 msgid ""
 msgstr ""
 "Project-Id-Version: SSSD\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2011-08-29 10:42-0300\n"
-"PO-Revision-Date: 2011-08-05 11:41+0000\n"
+"POT-Creation-Date: 2011-10-18 13:34-0300\n"
+"PO-Revision-Date: 2010-12-23 15:35+0000\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Low German <nds-lowgerman@lists.sourceforge.net>\n"
 "Language: nds\n"
@@ -52,7 +53,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:41
+#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:44
 #: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21
 #: sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_useradd.8.xml:30
 #: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30
@@ -68,7 +69,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:39 pam_sss.8.xml:48 sssd.8.xml:42 sss_obfuscate.8.xml:58
+#: sss_groupmod.8.xml:39 pam_sss.8.xml:51 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
 msgid "OPTIONS"
@@ -104,10 +105,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1106 sssd-ldap.5.xml:1432
-#: pam_sss.8.xml:128 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
+#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1130 sssd-ldap.5.xml:1432
+#: pam_sss.8.xml:139 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
 #: sssd-ipa.5.xml:248 sssd.8.xml:166 sss_obfuscate.8.xml:103
-#: sss_useradd.8.xml:167 sssd-krb5.5.xml:424 sss_groupadd.8.xml:58
+#: sss_useradd.8.xml:167 sssd-krb5.5.xml:427 sss_groupadd.8.xml:58
 #: sss_userdel.8.xml:93 sss_groupdel.8.xml:46 sss_groupshow.8.xml:58
 #: sss_usermod.8.xml:138
 msgid "SEE ALSO"
@@ -213,7 +214,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:70 sssd.conf.5.xml:952
+#: sssd.conf.5.xml:70 sssd.conf.5.xml:976
 msgid "Section parameters"
 msgstr ""
 
@@ -246,19 +247,19 @@ msgid "Supported services: nss, pam"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:93 sssd.conf.5.xml:234
+#: sssd.conf.5.xml:93 sssd.conf.5.xml:254
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:96 sssd.conf.5.xml:237
+#: sssd.conf.5.xml:96 sssd.conf.5.xml:257
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:101 sssd.conf.5.xml:242
+#: sssd.conf.5.xml:101 sssd.conf.5.xml:262
 msgid "Default: 3"
 msgstr ""
 
@@ -365,6 +366,32 @@ msgid ""
 "unavailable. On these platforms, polling will always be used."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:189
+msgid "krb5_rcache_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:192
+msgid ""
+"Directory on the filesystem where SSSD should store Kerberos replay cache "
+"files."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:196
+msgid ""
+"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
+"SSSD to let libkrb5 decide the appropriate location for the replay cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:202
+msgid ""
+"Default: Distribution-specific and specified at build-time. "
+"(__LIBKRB5_DEFAULTS__ if not configured)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:63
 msgid ""
@@ -377,12 +404,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:195
+#: sssd.conf.5.xml:215
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:197
+#: sssd.conf.5.xml:217
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -391,55 +418,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:204
+#: sssd.conf.5.xml:224
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:206
+#: sssd.conf.5.xml:226
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:210
+#: sssd.conf.5.xml:230
 msgid "debug_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:213
+#: sssd.conf.5.xml:233
 msgid ""
 "Sets the debug level for the service. The value can be in range from 0 (only "
 "critical messages) to 10 (very verbose)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:218 sssd.conf.5.xml:312
+#: sssd.conf.5.xml:238 sssd.conf.5.xml:332
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:223 sssd.8.xml:58
+#: sssd.conf.5.xml:243 sssd.8.xml:58
 msgid "debug_timestamps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:226 sssd.8.xml:61
+#: sssd.conf.5.xml:246 sssd.8.xml:61
 msgid "Add a timestamp to the debug messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:229 sssd.conf.5.xml:353 sssd-ldap.5.xml:1058
+#: sssd.conf.5.xml:249 sssd.conf.5.xml:373 sssd-ldap.5.xml:1058
 #: sssd-ldap.5.xml:1163 sssd-ipa.5.xml:155
 msgid "Default: true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:247
+#: sssd.conf.5.xml:267
 msgid "command (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:250
+#: sssd.conf.5.xml:270
 msgid ""
 "By default, the executable representing this service is called <command>sssd_"
 "${service_name}</command>.  This directive allows to change the executable "
@@ -448,45 +475,45 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:258
+#: sssd.conf.5.xml:278
 msgid "Default: <command>sssd_${service_name}</command>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:266
+#: sssd.conf.5.xml:286
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:268
+#: sssd.conf.5.xml:288
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:273
+#: sssd.conf.5.xml:293
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:276
+#: sssd.conf.5.xml:296
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:280
+#: sssd.conf.5.xml:300
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:285
+#: sssd.conf.5.xml:305
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:288
+#: sssd.conf.5.xml:308
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -494,7 +521,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:294
+#: sssd.conf.5.xml:314
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -504,7 +531,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304
+#: sssd.conf.5.xml:324
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -513,12 +540,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:317
+#: sssd.conf.5.xml:337
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:320
+#: sssd.conf.5.xml:340
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -526,17 +553,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:326 sssd-krb5.5.xml:223
+#: sssd.conf.5.xml:346 sssd-krb5.5.xml:223
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:331
+#: sssd.conf.5.xml:351
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:334
+#: sssd.conf.5.xml:354
 msgid ""
 "Exclude certain users from being fetched from the sss NSS database. This is "
 "particularly useful for system accounts. This option can also be set per-"
@@ -545,78 +572,78 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:341
+#: sssd.conf.5.xml:361
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:346
+#: sssd.conf.5.xml:366
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:369
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:358
+#: sssd.conf.5.xml:378
 msgid "override_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:367 sssd-krb5.5.xml:166
+#: sssd.conf.5.xml:387 sssd-krb5.5.xml:166
 msgid "%u"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:368 sssd-krb5.5.xml:167
+#: sssd.conf.5.xml:388 sssd-krb5.5.xml:167
 msgid "login name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:371 sssd-krb5.5.xml:170
+#: sssd.conf.5.xml:391 sssd-krb5.5.xml:170
 msgid "%U"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:392
 msgid "UID number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:375 sssd-krb5.5.xml:188
+#: sssd.conf.5.xml:395 sssd-krb5.5.xml:188
 msgid "%d"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:376
+#: sssd.conf.5.xml:396
 msgid "domain name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:379
+#: sssd.conf.5.xml:399
 msgid "%f"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:380
+#: sssd.conf.5.xml:400
 msgid "fully qualified user name (user@domain)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:383 sssd-krb5.5.xml:200
+#: sssd.conf.5.xml:403 sssd-krb5.5.xml:200
 msgid "%%"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:384 sssd-krb5.5.xml:201
+#: sssd.conf.5.xml:404 sssd-krb5.5.xml:201
 msgid "a literal '%'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:361
+#: sssd.conf.5.xml:381
 msgid ""
 "Override the user's home directory. You can either provide an absolute value "
 "or a template. In the template, the following sequences are substituted: "
@@ -624,138 +651,138 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:390
+#: sssd.conf.5.xml:410
 msgid "This option can also be set per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:395
+#: sssd.conf.5.xml:415
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:398
+#: sssd.conf.5.xml:418
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:401
+#: sssd.conf.5.xml:421
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:405
+#: sssd.conf.5.xml:425
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:410
+#: sssd.conf.5.xml:430
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:415
+#: sssd.conf.5.xml:435
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:418
+#: sssd.conf.5.xml:438
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:422
+#: sssd.conf.5.xml:442
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:427
+#: sssd.conf.5.xml:447
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:430
+#: sssd.conf.5.xml:450
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:435
+#: sssd.conf.5.xml:455
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:438
+#: sssd.conf.5.xml:458
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:442
+#: sssd.conf.5.xml:462
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:469
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:451
+#: sssd.conf.5.xml:471
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:456
+#: sssd.conf.5.xml:476
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:459
+#: sssd.conf.5.xml:479
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:464 sssd.conf.5.xml:477
+#: sssd.conf.5.xml:484 sssd.conf.5.xml:497
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:490
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:473
+#: sssd.conf.5.xml:493
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:483
+#: sssd.conf.5.xml:503
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:506
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:491
+#: sssd.conf.5.xml:511
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -763,59 +790,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:497 sssd.conf.5.xml:550 sssd.conf.5.xml:882
+#: sssd.conf.5.xml:517 sssd.conf.5.xml:570 sssd.conf.5.xml:906
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:523
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:506
+#: sssd.conf.5.xml:526
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:511
+#: sssd.conf.5.xml:531
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:514
+#: sssd.conf.5.xml:534
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:517
+#: sssd.conf.5.xml:537
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:541
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:524
+#: sssd.conf.5.xml:544
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:528
+#: sssd.conf.5.xml:548
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:533
+#: sssd.conf.5.xml:553
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:536
+#: sssd.conf.5.xml:556
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -823,7 +850,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:542
+#: sssd.conf.5.xml:562
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -832,17 +859,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:556
+#: sssd.conf.5.xml:576
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:559
+#: sssd.conf.5.xml:579
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:562
+#: sssd.conf.5.xml:582
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -850,29 +877,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:588
 msgid "Default: 7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:577
+#: sssd.conf.5.xml:597
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:584
+#: sssd.conf.5.xml:604
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:587
+#: sssd.conf.5.xml:607
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:592
+#: sssd.conf.5.xml:612
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -881,56 +908,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:599
+#: sssd.conf.5.xml:619
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:625
 msgid "timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:608
+#: sssd.conf.5.xml:628
 msgid ""
 "Timeout in seconds between heartbeats for this domain.  This is used to "
 "ensure that the backend process is alive and capable of answering requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:633
 msgid "Default: 10"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:639
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:642
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:626
+#: sssd.conf.5.xml:646
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:629
+#: sssd.conf.5.xml:649
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:632 sssd.conf.5.xml:680 sssd.conf.5.xml:734
+#: sssd.conf.5.xml:652 sssd.conf.5.xml:704 sssd.conf.5.xml:758
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:635
+#: sssd.conf.5.xml:655
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -940,14 +967,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:645
+#: sssd.conf.5.xml:665
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:650
+#: sssd.conf.5.xml:670
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -956,39 +983,44 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:661
+#: sssd.conf.5.xml:681
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:664
+#: sssd.conf.5.xml:684
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:688
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:693
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676
+#: sssd.conf.5.xml:696
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:700
+msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:685
+#: sssd.conf.5.xml:709
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:688
+#: sssd.conf.5.xml:712
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -997,47 +1029,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:695
+#: sssd.conf.5.xml:719
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:725
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:728
 msgid "The Data Provider identity backend to use for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:708
+#: sssd.conf.5.xml:732
 msgid "Supported backends:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:711
+#: sssd.conf.5.xml:735
 msgid "proxy: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:714
+#: sssd.conf.5.xml:738
 msgid "local: SSSD internal local provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:717
+#: sssd.conf.5.xml:741
 msgid "ldap: LDAP provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:747
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:750
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -1046,19 +1078,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:739
+#: sssd.conf.5.xml:763
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:766
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:746
+#: sssd.conf.5.xml:770
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1066,7 +1098,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:777
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1074,30 +1106,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:784
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:787
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:766
+#: sssd.conf.5.xml:790
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:796
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:775
+#: sssd.conf.5.xml:799
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -1105,17 +1137,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:781
+#: sssd.conf.5.xml:805
 msgid "<quote>permit</quote> always allow access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:784
+#: sssd.conf.5.xml:808
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:811
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -1124,24 +1156,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:818
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:823
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:826
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:831
 msgid ""
 "<quote>ipa</quote> to change a password stored in an IPA server.  See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -1149,7 +1181,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:815
+#: sssd.conf.5.xml:839
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -1157,7 +1189,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:823
+#: sssd.conf.5.xml:847
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1165,72 +1197,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:831
+#: sssd.conf.5.xml:855
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:835
+#: sssd.conf.5.xml:859
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838
+#: sssd.conf.5.xml:862
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:845
+#: sssd.conf.5.xml:869
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:848
+#: sssd.conf.5.xml:872
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:876
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:855
+#: sssd.conf.5.xml:879
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:858
+#: sssd.conf.5.xml:882
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:861
+#: sssd.conf.5.xml:885
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:864
+#: sssd.conf.5.xml:888
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:867
+#: sssd.conf.5.xml:891
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:873
+#: sssd.conf.5.xml:897
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:876
+#: sssd.conf.5.xml:900
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -1238,34 +1270,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:912
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:891
+#: sssd.conf.5.xml:915
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:919
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:901
+#: sssd.conf.5.xml:925
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:904
+#: sssd.conf.5.xml:928
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:579
+#: sssd.conf.5.xml:599
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -1273,29 +1305,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:940
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:943
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:922
+#: sssd.conf.5.xml:946
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:954
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:933
+#: sssd.conf.5.xml:957
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -1303,19 +1335,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:912
+#: sssd.conf.5.xml:936
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:945
+#: sssd.conf.5.xml:969
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:971
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -1323,73 +1355,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:954
+#: sssd.conf.5.xml:978
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:981
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:985
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:966
+#: sssd.conf.5.xml:990
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:969
+#: sssd.conf.5.xml:993
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974
+#: sssd.conf.5.xml:998
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1003
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1006
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986 sssd.conf.5.xml:998
+#: sssd.conf.5.xml:1010 sssd.conf.5.xml:1022
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:991
+#: sssd.conf.5.xml:1015
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:994
+#: sssd.conf.5.xml:1018
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1003
+#: sssd.conf.5.xml:1027
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1030
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -1397,17 +1429,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014
+#: sssd.conf.5.xml:1038
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1043
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1022
+#: sssd.conf.5.xml:1046
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -1416,17 +1448,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:1056
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1037
+#: sssd.conf.5.xml:1061
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1040
+#: sssd.conf.5.xml:1064
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -1434,17 +1466,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1047
+#: sssd.conf.5.xml:1071
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1076
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1055
+#: sssd.conf.5.xml:1079
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -1452,18 +1484,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1061
+#: sssd.conf.5.xml:1085
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1071 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
-#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:405
+#: sssd.conf.5.xml:1095 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
+#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:408
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:1077
+#: sssd.conf.5.xml:1101
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -1493,7 +1525,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1073
+#: sssd.conf.5.xml:1097
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -1502,7 +1534,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1108
+#: sssd.conf.5.xml:1132
 msgid ""
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
@@ -1602,10 +1634,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:88
 msgid ""
-"Specifies the list of URIs of the LDAP servers to which SSSD should connect "
-"in the order of preference to change the password of a user. Refer to the "
-"<quote>FAILOVER</quote> section for more information on failover and server "
-"redundancy."
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference to change the password of a user. "
+"Refer to the <quote>FAILOVER</quote> section for more information on "
+"failover and server redundancy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -2085,7 +2117,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:519 sssd-ldap.5.xml:990 sssd-ipa.5.xml:115 sssd.8.xml:64
-#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:266
+#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:269
 msgid "Default: false"
 msgstr ""
 
@@ -2526,7 +2558,7 @@ msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:356
+#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:359
 msgid "Default: not set"
 msgstr ""
 
@@ -2667,12 +2699,13 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:1080 sssd-krb5.5.xml:77
 msgid ""
-"Specifies the list of IP addresses or hostnames of the Kerberos servers to "
-"which SSSD should connect in the order of preference. For more information "
-"on failover and server redundancy, see the <quote>FAILOVER</quote> section. "
-"An optional port number (preceded by a colon) may be appended to the "
-"addresses or hostnames.  If empty, service discovery is enabled - for more "
-"information, refer to the <quote>SERVICE DISCOVERY</quote> section."
+"Specifies the comma-separated list of IP addresses or hostnames of the "
+"Kerberos servers to which SSSD should connect in the order of preference. "
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
+"colon) may be appended to the addresses or hostnames.  If empty, service "
+"discovery is enabled - for more information, refer to the <quote>SERVICE "
+"DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -3057,7 +3090,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ldap.5.xml:1407 sssd-simple.5.xml:134 sssd-ipa.5.xml:238
-#: sssd-krb5.5.xml:414
+#: sssd-krb5.5.xml:417
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -3104,7 +3137,8 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
 #: pam_sss.8.xml:24
 msgid ""
-"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>forward_pass</"
+"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
@@ -3112,7 +3146,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:42
+#: pam_sss.8.xml:45
 msgid ""
 "<command>pam_sss.so</command> is the PAM interface to the System Security "
 "Services daemon (SSSD). Errors and results are logged through <command>syslog"
@@ -3120,24 +3154,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:52
+#: pam_sss.8.xml:55
+msgid "<option>quiet</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:58
+msgid "Suppress log messages for unknown users."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:63
 msgid "<option>forward_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:55
+#: pam_sss.8.xml:66
 msgid ""
 "If <option>forward_pass</option> is set the entered password is put on the "
 "stack for other PAM modules to use."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:62
+#: pam_sss.8.xml:73
 msgid "<option>use_first_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:65
+#: pam_sss.8.xml:76
 msgid ""
 "The argument use_first_pass forces the module to use a previous stacked "
 "modules password and will never prompt the user - if no password is "
@@ -3145,31 +3189,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:73
+#: pam_sss.8.xml:84
 msgid "<option>use_authtok</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:76
+#: pam_sss.8.xml:87
 msgid ""
 "When password changing enforce the module to set the new password to the one "
 "provided by a previously stacked password module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:83
+#: pam_sss.8.xml:94
 msgid "<option>retry=N</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:86
+#: pam_sss.8.xml:97
 msgid ""
 "If specified the user is asked another N times for a password if "
 "authentication fails. Default is 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:88
+#: pam_sss.8.xml:99
 msgid ""
 "Please note that this option might not work as expected if the application "
 "calling PAM handles the user dialog on its own. A typical example is "
@@ -3177,24 +3221,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:99
+#: pam_sss.8.xml:110
 msgid "MODULE TYPES PROVIDED"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:100
+#: pam_sss.8.xml:111
 msgid ""
 "All module types (<option>account</option>, <option>auth</option>, "
 "<option>password</option> and <option>session</option>) are provided."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:106
+#: pam_sss.8.xml:117
 msgid "FILES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:107
+#: pam_sss.8.xml:118
 msgid ""
 "If a password reset by root fails, because the corresponding SSSD provider "
 "does not support password resets, an individual message can be displayed. "
@@ -3202,7 +3246,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:112
+#: pam_sss.8.xml:123
 msgid ""
 "The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
 "filename> where LOC stands for a locale string returned by <citerefentry> "
@@ -3214,7 +3258,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:122
+#: pam_sss.8.xml:133
 msgid ""
 "These files are searched in the directory <filename>/etc/sssd/customize/"
 "DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
@@ -3222,7 +3266,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:130
+#: pam_sss.8.xml:141
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>8</"
 "manvolnum> </citerefentry>"
@@ -3482,11 +3526,11 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ipa.5.xml:83
 msgid ""
-"The list of IP addresses or hostnames of the IPA servers to which SSSD "
-"should connect in the order of preference. For more information on failover "
-"and server redundancy, see the <quote>FAILOVER</quote> section.  This is "
-"optional if autodiscovery is enabled.  For more information on service "
-"discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
+"The comma-separated list of IP addresses or hostnames of the IPA servers to "
+"which SSSD should connect in the order of preference. For more information "
+"on failover and server redundancy, see the <quote>FAILOVER</quote> section.  "
+"This is optional if autodiscovery is enabled.  For more information on "
+"service discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
@@ -4302,48 +4346,50 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:262
 msgid ""
-"Please note that this feature currently only available on a Linux platform."
+"Please note that this feature currently only available on a Linux platform. "
+"Passwords stored in this way are kept in plaintext in the kernel keyring and "
+"are potentially accessible by the root user (with difficulty)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:272
+#: sssd-krb5.5.xml:275
 msgid "krb5_renewable_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:275
+#: sssd-krb5.5.xml:278
 msgid ""
 "Request a renewable ticket with a total lifetime given by an integer "
 "immediately followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:280 sssd-krb5.5.xml:316
+#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
 msgid "<emphasis>s</emphasis> seconds"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
+#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
 msgid "<emphasis>m</emphasis> minutes"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
+#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
 msgid "<emphasis>h</emphasis> hours"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
+#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
 msgid "<emphasis>d</emphasis> days."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
+#: sssd-krb5.5.xml:295 sssd-krb5.5.xml:331
 msgid "If there is no delimiter <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:296
+#: sssd-krb5.5.xml:299
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "renewable lifetime to one and a half hours please use '90m' instead of "
@@ -4351,97 +4397,97 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:302
+#: sssd-krb5.5.xml:305
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:308
+#: sssd-krb5.5.xml:311
 msgid "krb5_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:311
+#: sssd-krb5.5.xml:314
 msgid ""
 "Request ticket with a with a lifetime given by an integer immediately "
 "followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:332
+#: sssd-krb5.5.xml:335
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "lifetime to one and a half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:337
+#: sssd-krb5.5.xml:340
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:344
+#: sssd-krb5.5.xml:347
 msgid "krb5_renew_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:347
+#: sssd-krb5.5.xml:350
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:352
+#: sssd-krb5.5.xml:355
 msgid "If this option is not set or 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:362
+#: sssd-krb5.5.xml:365
 msgid "krb5_use_fast (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:365
+#: sssd-krb5.5.xml:368
 msgid ""
 "Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
 "authentication. The following options are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:370
+#: sssd-krb5.5.xml:373
 msgid ""
 "<emphasis>never</emphasis> use FAST, this is equivalent to not set this "
 "option at all."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:374
+#: sssd-krb5.5.xml:377
 msgid ""
 "<emphasis>try</emphasis> to use FAST, if the server does not support fast "
 "continue without."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:378
+#: sssd-krb5.5.xml:381
 msgid ""
 "<emphasis>demand</emphasis> to use FAST, fail if the server does not require "
 "fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:382
+#: sssd-krb5.5.xml:385
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:385
+#: sssd-krb5.5.xml:388
 msgid "Please note that a keytab is required to use fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:388
+#: sssd-krb5.5.xml:391
 msgid ""
 "Please note also that sssd supports fast only with MIT Kerberos version 1.8 "
 "and above. If sssd used used with an older version using this option is a "
@@ -4459,7 +4505,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:407
+#: sssd-krb5.5.xml:410
 msgid ""
 "The following example assumes that SSSD is correctly configured and FOO is "
 "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
@@ -4468,7 +4514,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-krb5.5.xml:415
+#: sssd-krb5.5.xml:418
 #, no-wrap
 msgid ""
 "    [domain/FOO]\n"
@@ -4478,7 +4524,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:426
+#: sssd-krb5.5.xml:429
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
diff --git a/src/man/po/nl.po b/src/man/po/nl.po
index 74ebaa09..dbe0b92b 100644
--- a/src/man/po/nl.po
+++ b/src/man/po/nl.po
@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: SSSD\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2011-08-29 10:42-0300\n"
+"POT-Creation-Date: 2011-10-18 13:34-0300\n"
 "PO-Revision-Date: 2011-03-10 00:18+0000\n"
 "Last-Translator: sgallagh <sgallagh@redhat.com>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -56,7 +56,7 @@ msgstr ""
 "arg>"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:41
+#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:44
 #: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21
 #: sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_useradd.8.xml:30
 #: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30
@@ -74,7 +74,7 @@ msgstr ""
 "die via de opdrachtregel ingegeven zijn."
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:39 pam_sss.8.xml:48 sssd.8.xml:42 sss_obfuscate.8.xml:58
+#: sss_groupmod.8.xml:39 pam_sss.8.xml:51 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
 msgid "OPTIONS"
@@ -119,10 +119,10 @@ msgstr ""
 "replaceable> parameter."
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1106 sssd-ldap.5.xml:1432
-#: pam_sss.8.xml:128 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
+#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1130 sssd-ldap.5.xml:1432
+#: pam_sss.8.xml:139 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
 #: sssd-ipa.5.xml:248 sssd.8.xml:166 sss_obfuscate.8.xml:103
-#: sss_useradd.8.xml:167 sssd-krb5.5.xml:424 sss_groupadd.8.xml:58
+#: sss_useradd.8.xml:167 sssd-krb5.5.xml:427 sss_groupadd.8.xml:58
 #: sss_userdel.8.xml:93 sss_groupdel.8.xml:46 sss_groupshow.8.xml:58
 #: sss_usermod.8.xml:138
 msgid "SEE ALSO"
@@ -254,7 +254,7 @@ msgid "The [sssd] section"
 msgstr "De [sssd] sectie"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:70 sssd.conf.5.xml:952
+#: sssd.conf.5.xml:70 sssd.conf.5.xml:976
 msgid "Section parameters"
 msgstr "Sectie parameters"
 
@@ -290,12 +290,12 @@ msgid "Supported services: nss, pam"
 msgstr "Ondersteunde diensten: nss, pam"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:93 sssd.conf.5.xml:234
+#: sssd.conf.5.xml:93 sssd.conf.5.xml:254
 msgid "reconnection_retries (integer)"
 msgstr "reconnection_retries (numeriek)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:96 sssd.conf.5.xml:237
+#: sssd.conf.5.xml:96 sssd.conf.5.xml:257
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
@@ -304,7 +304,7 @@ msgstr ""
 "Data Aanbieder crashed of opnieuw start voordat dit opgegeven wordt"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:101 sssd.conf.5.xml:242
+#: sssd.conf.5.xml:101 sssd.conf.5.xml:262
 msgid "Default: 3"
 msgstr "Standaard: 3"
 
@@ -437,6 +437,34 @@ msgstr ""
 "beschikbaar is. Op deze systemen wordt altijd periodiek gekeken naar resolv."
 "conf."
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:189
+#, fuzzy
+#| msgid "re_expression (string)"
+msgid "krb5_rcache_dir (string)"
+msgstr "re_expression (tekst)"
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:192
+msgid ""
+"Directory on the filesystem where SSSD should store Kerberos replay cache "
+"files."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:196
+msgid ""
+"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
+"SSSD to let libkrb5 decide the appropriate location for the replay cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:202
+msgid ""
+"Default: Distribution-specific and specified at build-time. "
+"(__LIBKRB5_DEFAULTS__ if not configured)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:63
 msgid ""
@@ -449,12 +477,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:195
+#: sssd.conf.5.xml:215
 msgid "SERVICES SECTIONS"
 msgstr "SERVICES SECTIE"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:197
+#: sssd.conf.5.xml:217
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -463,55 +491,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:204
+#: sssd.conf.5.xml:224
 msgid "General service configuration options"
 msgstr "Algemene service configuratie-opties"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:206
+#: sssd.conf.5.xml:226
 msgid "These options can be used to configure any service."
 msgstr "Deze opties kunnen gebruikt worden om services te configureren."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:210
+#: sssd.conf.5.xml:230
 msgid "debug_level (integer)"
 msgstr "debug_level (numeriek)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:213
+#: sssd.conf.5.xml:233
 msgid ""
 "Sets the debug level for the service. The value can be in range from 0 (only "
 "critical messages) to 10 (very verbose)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:218 sssd.conf.5.xml:312
+#: sssd.conf.5.xml:238 sssd.conf.5.xml:332
 msgid "Default: 0"
 msgstr "Standaard: 0"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:223 sssd.8.xml:58
+#: sssd.conf.5.xml:243 sssd.8.xml:58
 msgid "debug_timestamps (bool)"
 msgstr "debug_timestamps (bool)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:226 sssd.8.xml:61
+#: sssd.conf.5.xml:246 sssd.8.xml:61
 msgid "Add a timestamp to the debug messages"
 msgstr "Voeg een tijdstempel toe aan de debugberichten"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:229 sssd.conf.5.xml:353 sssd-ldap.5.xml:1058
+#: sssd.conf.5.xml:249 sssd.conf.5.xml:373 sssd-ldap.5.xml:1058
 #: sssd-ldap.5.xml:1163 sssd-ipa.5.xml:155
 msgid "Default: true"
 msgstr "Standaard: true"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:247
+#: sssd.conf.5.xml:267
 msgid "command (string)"
 msgstr "command (tekst)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:250
+#: sssd.conf.5.xml:270
 msgid ""
 "By default, the executable representing this service is called <command>sssd_"
 "${service_name}</command>.  This directive allows to change the executable "
@@ -520,17 +548,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:258
+#: sssd.conf.5.xml:278
 msgid "Default: <command>sssd_${service_name}</command>"
 msgstr "Standaard: <command>sssd_${service_name}</command>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:266
+#: sssd.conf.5.xml:286
 msgid "NSS configuration options"
 msgstr "NSS configuratie-opties"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:268
+#: sssd.conf.5.xml:288
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
@@ -538,12 +566,12 @@ msgstr ""
 "configurere."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:273
+#: sssd.conf.5.xml:293
 msgid "enum_cache_timeout (integer)"
 msgstr "enum_cache_timeout (numeriek)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:276
+#: sssd.conf.5.xml:296
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
@@ -552,17 +580,17 @@ msgstr ""
 "over alle gebruikers)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:280
+#: sssd.conf.5.xml:300
 msgid "Default: 120"
 msgstr "Standaard: 120"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:285
+#: sssd.conf.5.xml:305
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr "entry_cache_nowait_percentage (numeriek)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:288
+#: sssd.conf.5.xml:308
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -570,7 +598,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:294
+#: sssd.conf.5.xml:314
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -580,7 +608,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304
+#: sssd.conf.5.xml:324
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -589,12 +617,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:317
+#: sssd.conf.5.xml:337
 msgid "entry_negative_timeout (integer)"
 msgstr "entry_negative_timeout (numeriek)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:320
+#: sssd.conf.5.xml:340
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -602,17 +630,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:326 sssd-krb5.5.xml:223
+#: sssd.conf.5.xml:346 sssd-krb5.5.xml:223
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:331
+#: sssd.conf.5.xml:351
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:334
+#: sssd.conf.5.xml:354
 msgid ""
 "Exclude certain users from being fetched from the sss NSS database. This is "
 "particularly useful for system accounts. This option can also be set per-"
@@ -621,80 +649,80 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:341
+#: sssd.conf.5.xml:361
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:346
+#: sssd.conf.5.xml:366
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:369
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:358
+#: sssd.conf.5.xml:378
 msgid "override_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:367 sssd-krb5.5.xml:166
+#: sssd.conf.5.xml:387 sssd-krb5.5.xml:166
 msgid "%u"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:368 sssd-krb5.5.xml:167
+#: sssd.conf.5.xml:388 sssd-krb5.5.xml:167
 msgid "login name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:371 sssd-krb5.5.xml:170
+#: sssd.conf.5.xml:391 sssd-krb5.5.xml:170
 msgid "%U"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:392
 msgid "UID number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:375 sssd-krb5.5.xml:188
+#: sssd.conf.5.xml:395 sssd-krb5.5.xml:188
 msgid "%d"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:376
+#: sssd.conf.5.xml:396
 #, fuzzy
 #| msgid "domains"
 msgid "domain name"
 msgstr "domeinen"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:379
+#: sssd.conf.5.xml:399
 msgid "%f"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:380
+#: sssd.conf.5.xml:400
 msgid "fully qualified user name (user@domain)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:383 sssd-krb5.5.xml:200
+#: sssd.conf.5.xml:403 sssd-krb5.5.xml:200
 msgid "%%"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:384 sssd-krb5.5.xml:201
+#: sssd.conf.5.xml:404 sssd-krb5.5.xml:201
 msgid "a literal '%'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:361
+#: sssd.conf.5.xml:381
 msgid ""
 "Override the user's home directory. You can either provide an absolute value "
 "or a template. In the template, the following sequences are substituted: "
@@ -702,140 +730,140 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:390
+#: sssd.conf.5.xml:410
 msgid "This option can also be set per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:395
+#: sssd.conf.5.xml:415
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:398
+#: sssd.conf.5.xml:418
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:401
+#: sssd.conf.5.xml:421
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:405
+#: sssd.conf.5.xml:425
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:410
+#: sssd.conf.5.xml:430
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:415
+#: sssd.conf.5.xml:435
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:418
+#: sssd.conf.5.xml:438
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:422
+#: sssd.conf.5.xml:442
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:427
+#: sssd.conf.5.xml:447
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:430
+#: sssd.conf.5.xml:450
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:435
+#: sssd.conf.5.xml:455
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:438
+#: sssd.conf.5.xml:458
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:442
+#: sssd.conf.5.xml:462
 #, fuzzy
 #| msgid "Default: 3"
 msgid "Default: /bin/sh"
 msgstr "Standaard: 3"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:469
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:451
+#: sssd.conf.5.xml:471
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:456
+#: sssd.conf.5.xml:476
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:459
+#: sssd.conf.5.xml:479
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:464 sssd.conf.5.xml:477
+#: sssd.conf.5.xml:484 sssd.conf.5.xml:497
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:490
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:473
+#: sssd.conf.5.xml:493
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:483
+#: sssd.conf.5.xml:503
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:506
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:491
+#: sssd.conf.5.xml:511
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -843,59 +871,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:497 sssd.conf.5.xml:550 sssd.conf.5.xml:882
+#: sssd.conf.5.xml:517 sssd.conf.5.xml:570 sssd.conf.5.xml:906
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:523
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:506
+#: sssd.conf.5.xml:526
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:511
+#: sssd.conf.5.xml:531
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:514
+#: sssd.conf.5.xml:534
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:517
+#: sssd.conf.5.xml:537
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:541
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:524
+#: sssd.conf.5.xml:544
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:528
+#: sssd.conf.5.xml:548
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:533
+#: sssd.conf.5.xml:553
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:536
+#: sssd.conf.5.xml:556
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -903,7 +931,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:542
+#: sssd.conf.5.xml:562
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -912,17 +940,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:556
+#: sssd.conf.5.xml:576
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:559
+#: sssd.conf.5.xml:579
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:562
+#: sssd.conf.5.xml:582
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -930,29 +958,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:588
 msgid "Default: 7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:577
+#: sssd.conf.5.xml:597
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:584
+#: sssd.conf.5.xml:604
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:587
+#: sssd.conf.5.xml:607
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:592
+#: sssd.conf.5.xml:612
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -961,56 +989,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:599
+#: sssd.conf.5.xml:619
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:625
 msgid "timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:608
+#: sssd.conf.5.xml:628
 msgid ""
 "Timeout in seconds between heartbeats for this domain.  This is used to "
 "ensure that the backend process is alive and capable of answering requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:633
 msgid "Default: 10"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:639
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:642
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:626
+#: sssd.conf.5.xml:646
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:629
+#: sssd.conf.5.xml:649
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:632 sssd.conf.5.xml:680 sssd.conf.5.xml:734
+#: sssd.conf.5.xml:652 sssd.conf.5.xml:704 sssd.conf.5.xml:758
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:635
+#: sssd.conf.5.xml:655
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -1020,14 +1048,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:645
+#: sssd.conf.5.xml:665
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:650
+#: sssd.conf.5.xml:670
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -1036,39 +1064,44 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:661
+#: sssd.conf.5.xml:681
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:664
+#: sssd.conf.5.xml:684
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:688
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:693
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676
+#: sssd.conf.5.xml:696
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:700
+msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:685
+#: sssd.conf.5.xml:709
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:688
+#: sssd.conf.5.xml:712
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -1077,47 +1110,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:695
+#: sssd.conf.5.xml:719
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:725
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:728
 msgid "The Data Provider identity backend to use for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:708
+#: sssd.conf.5.xml:732
 msgid "Supported backends:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:711
+#: sssd.conf.5.xml:735
 msgid "proxy: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:714
+#: sssd.conf.5.xml:738
 msgid "local: SSSD internal local provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:717
+#: sssd.conf.5.xml:741
 msgid "ldap: LDAP provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:747
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:750
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -1126,19 +1159,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:739
+#: sssd.conf.5.xml:763
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:766
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:746
+#: sssd.conf.5.xml:770
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1146,7 +1179,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:777
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1154,30 +1187,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:784
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:787
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:766
+#: sssd.conf.5.xml:790
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:796
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:775
+#: sssd.conf.5.xml:799
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -1185,17 +1218,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:781
+#: sssd.conf.5.xml:805
 msgid "<quote>permit</quote> always allow access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:784
+#: sssd.conf.5.xml:808
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:811
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -1204,24 +1237,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:818
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:823
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:826
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:831
 msgid ""
 "<quote>ipa</quote> to change a password stored in an IPA server.  See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -1229,7 +1262,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:815
+#: sssd.conf.5.xml:839
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -1237,7 +1270,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:823
+#: sssd.conf.5.xml:847
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1245,72 +1278,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:831
+#: sssd.conf.5.xml:855
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:835
+#: sssd.conf.5.xml:859
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838
+#: sssd.conf.5.xml:862
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:845
+#: sssd.conf.5.xml:869
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:848
+#: sssd.conf.5.xml:872
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:876
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:855
+#: sssd.conf.5.xml:879
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:858
+#: sssd.conf.5.xml:882
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:861
+#: sssd.conf.5.xml:885
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:864
+#: sssd.conf.5.xml:888
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:867
+#: sssd.conf.5.xml:891
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:873
+#: sssd.conf.5.xml:897
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:876
+#: sssd.conf.5.xml:900
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -1318,36 +1351,36 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:912
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:891
+#: sssd.conf.5.xml:915
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:919
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:901
+#: sssd.conf.5.xml:925
 #, fuzzy
 #| msgid "reconnection_retries (integer)"
 msgid "override_gid (integer)"
 msgstr "reconnection_retries (numeriek)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:904
+#: sssd.conf.5.xml:928
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:579
+#: sssd.conf.5.xml:599
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -1355,29 +1388,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:940
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:943
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:922
+#: sssd.conf.5.xml:946
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:954
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:933
+#: sssd.conf.5.xml:957
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -1385,19 +1418,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:912
+#: sssd.conf.5.xml:936
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:945
+#: sssd.conf.5.xml:969
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:971
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -1405,73 +1438,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:954
+#: sssd.conf.5.xml:978
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:981
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:985
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:966
+#: sssd.conf.5.xml:990
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:969
+#: sssd.conf.5.xml:993
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974
+#: sssd.conf.5.xml:998
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1003
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1006
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986 sssd.conf.5.xml:998
+#: sssd.conf.5.xml:1010 sssd.conf.5.xml:1022
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:991
+#: sssd.conf.5.xml:1015
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:994
+#: sssd.conf.5.xml:1018
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1003
+#: sssd.conf.5.xml:1027
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1030
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -1479,17 +1512,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014
+#: sssd.conf.5.xml:1038
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1043
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1022
+#: sssd.conf.5.xml:1046
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -1498,17 +1531,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:1056
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1037
+#: sssd.conf.5.xml:1061
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1040
+#: sssd.conf.5.xml:1064
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -1516,17 +1549,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1047
+#: sssd.conf.5.xml:1071
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1076
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1055
+#: sssd.conf.5.xml:1079
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -1534,18 +1567,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1061
+#: sssd.conf.5.xml:1085
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1071 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
-#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:405
+#: sssd.conf.5.xml:1095 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
+#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:408
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:1077
+#: sssd.conf.5.xml:1101
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -1575,7 +1608,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1073
+#: sssd.conf.5.xml:1097
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -1584,7 +1617,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1108
+#: sssd.conf.5.xml:1132
 msgid ""
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
@@ -1684,10 +1717,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:88
 msgid ""
-"Specifies the list of URIs of the LDAP servers to which SSSD should connect "
-"in the order of preference to change the password of a user. Refer to the "
-"<quote>FAILOVER</quote> section for more information on failover and server "
-"redundancy."
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference to change the password of a user. "
+"Refer to the <quote>FAILOVER</quote> section for more information on "
+"failover and server redundancy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -2169,7 +2202,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:519 sssd-ldap.5.xml:990 sssd-ipa.5.xml:115 sssd.8.xml:64
-#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:266
+#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:269
 msgid "Default: false"
 msgstr ""
 
@@ -2614,7 +2647,7 @@ msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:356
+#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:359
 msgid "Default: not set"
 msgstr ""
 
@@ -2757,12 +2790,13 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:1080 sssd-krb5.5.xml:77
 msgid ""
-"Specifies the list of IP addresses or hostnames of the Kerberos servers to "
-"which SSSD should connect in the order of preference. For more information "
-"on failover and server redundancy, see the <quote>FAILOVER</quote> section. "
-"An optional port number (preceded by a colon) may be appended to the "
-"addresses or hostnames.  If empty, service discovery is enabled - for more "
-"information, refer to the <quote>SERVICE DISCOVERY</quote> section."
+"Specifies the comma-separated list of IP addresses or hostnames of the "
+"Kerberos servers to which SSSD should connect in the order of preference. "
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
+"colon) may be appended to the addresses or hostnames.  If empty, service "
+"discovery is enabled - for more information, refer to the <quote>SERVICE "
+"DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -3147,7 +3181,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ldap.5.xml:1407 sssd-simple.5.xml:134 sssd-ipa.5.xml:238
-#: sssd-krb5.5.xml:414
+#: sssd-krb5.5.xml:417
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -3194,7 +3228,8 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
 #: pam_sss.8.xml:24
 msgid ""
-"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>forward_pass</"
+"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
@@ -3202,7 +3237,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:42
+#: pam_sss.8.xml:45
 msgid ""
 "<command>pam_sss.so</command> is the PAM interface to the System Security "
 "Services daemon (SSSD). Errors and results are logged through <command>syslog"
@@ -3210,24 +3245,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:52
+#: pam_sss.8.xml:55
+msgid "<option>quiet</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:58
+msgid "Suppress log messages for unknown users."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:63
 msgid "<option>forward_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:55
+#: pam_sss.8.xml:66
 msgid ""
 "If <option>forward_pass</option> is set the entered password is put on the "
 "stack for other PAM modules to use."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:62
+#: pam_sss.8.xml:73
 msgid "<option>use_first_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:65
+#: pam_sss.8.xml:76
 msgid ""
 "The argument use_first_pass forces the module to use a previous stacked "
 "modules password and will never prompt the user - if no password is "
@@ -3235,31 +3280,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:73
+#: pam_sss.8.xml:84
 msgid "<option>use_authtok</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:76
+#: pam_sss.8.xml:87
 msgid ""
 "When password changing enforce the module to set the new password to the one "
 "provided by a previously stacked password module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:83
+#: pam_sss.8.xml:94
 msgid "<option>retry=N</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:86
+#: pam_sss.8.xml:97
 msgid ""
 "If specified the user is asked another N times for a password if "
 "authentication fails. Default is 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:88
+#: pam_sss.8.xml:99
 msgid ""
 "Please note that this option might not work as expected if the application "
 "calling PAM handles the user dialog on its own. A typical example is "
@@ -3267,24 +3312,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:99
+#: pam_sss.8.xml:110
 msgid "MODULE TYPES PROVIDED"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:100
+#: pam_sss.8.xml:111
 msgid ""
 "All module types (<option>account</option>, <option>auth</option>, "
 "<option>password</option> and <option>session</option>) are provided."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:106
+#: pam_sss.8.xml:117
 msgid "FILES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:107
+#: pam_sss.8.xml:118
 msgid ""
 "If a password reset by root fails, because the corresponding SSSD provider "
 "does not support password resets, an individual message can be displayed. "
@@ -3292,7 +3337,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:112
+#: pam_sss.8.xml:123
 msgid ""
 "The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
 "filename> where LOC stands for a locale string returned by <citerefentry> "
@@ -3304,7 +3349,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:122
+#: pam_sss.8.xml:133
 msgid ""
 "These files are searched in the directory <filename>/etc/sssd/customize/"
 "DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
@@ -3312,7 +3357,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:130
+#: pam_sss.8.xml:141
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>8</"
 "manvolnum> </citerefentry>"
@@ -3572,11 +3617,11 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ipa.5.xml:83
 msgid ""
-"The list of IP addresses or hostnames of the IPA servers to which SSSD "
-"should connect in the order of preference. For more information on failover "
-"and server redundancy, see the <quote>FAILOVER</quote> section.  This is "
-"optional if autodiscovery is enabled.  For more information on service "
-"discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
+"The comma-separated list of IP addresses or hostnames of the IPA servers to "
+"which SSSD should connect in the order of preference. For more information "
+"on failover and server redundancy, see the <quote>FAILOVER</quote> section.  "
+"This is optional if autodiscovery is enabled.  For more information on "
+"service discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
@@ -4398,48 +4443,50 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:262
 msgid ""
-"Please note that this feature currently only available on a Linux platform."
+"Please note that this feature currently only available on a Linux platform. "
+"Passwords stored in this way are kept in plaintext in the kernel keyring and "
+"are potentially accessible by the root user (with difficulty)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:272
+#: sssd-krb5.5.xml:275
 msgid "krb5_renewable_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:275
+#: sssd-krb5.5.xml:278
 msgid ""
 "Request a renewable ticket with a total lifetime given by an integer "
 "immediately followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:280 sssd-krb5.5.xml:316
+#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
 msgid "<emphasis>s</emphasis> seconds"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
+#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
 msgid "<emphasis>m</emphasis> minutes"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
+#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
 msgid "<emphasis>h</emphasis> hours"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
+#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
 msgid "<emphasis>d</emphasis> days."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
+#: sssd-krb5.5.xml:295 sssd-krb5.5.xml:331
 msgid "If there is no delimiter <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:296
+#: sssd-krb5.5.xml:299
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "renewable lifetime to one and a half hours please use '90m' instead of "
@@ -4447,97 +4494,97 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:302
+#: sssd-krb5.5.xml:305
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:308
+#: sssd-krb5.5.xml:311
 msgid "krb5_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:311
+#: sssd-krb5.5.xml:314
 msgid ""
 "Request ticket with a with a lifetime given by an integer immediately "
 "followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:332
+#: sssd-krb5.5.xml:335
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "lifetime to one and a half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:337
+#: sssd-krb5.5.xml:340
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:344
+#: sssd-krb5.5.xml:347
 msgid "krb5_renew_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:347
+#: sssd-krb5.5.xml:350
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:352
+#: sssd-krb5.5.xml:355
 msgid "If this option is not set or 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:362
+#: sssd-krb5.5.xml:365
 msgid "krb5_use_fast (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:365
+#: sssd-krb5.5.xml:368
 msgid ""
 "Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
 "authentication. The following options are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:370
+#: sssd-krb5.5.xml:373
 msgid ""
 "<emphasis>never</emphasis> use FAST, this is equivalent to not set this "
 "option at all."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:374
+#: sssd-krb5.5.xml:377
 msgid ""
 "<emphasis>try</emphasis> to use FAST, if the server does not support fast "
 "continue without."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:378
+#: sssd-krb5.5.xml:381
 msgid ""
 "<emphasis>demand</emphasis> to use FAST, fail if the server does not require "
 "fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:382
+#: sssd-krb5.5.xml:385
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:385
+#: sssd-krb5.5.xml:388
 msgid "Please note that a keytab is required to use fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:388
+#: sssd-krb5.5.xml:391
 msgid ""
 "Please note also that sssd supports fast only with MIT Kerberos version 1.8 "
 "and above. If sssd used used with an older version using this option is a "
@@ -4555,7 +4602,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:407
+#: sssd-krb5.5.xml:410
 msgid ""
 "The following example assumes that SSSD is correctly configured and FOO is "
 "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
@@ -4564,7 +4611,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-krb5.5.xml:415
+#: sssd-krb5.5.xml:418
 #, no-wrap
 msgid ""
 "    [domain/FOO]\n"
@@ -4574,7 +4621,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:426
+#: sssd-krb5.5.xml:429
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
diff --git a/src/man/po/nn.po b/src/man/po/nn.po
index 22560776..a3b0652b 100644
--- a/src/man/po/nn.po
+++ b/src/man/po/nn.po
@@ -6,7 +6,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: SSSD\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2011-08-29 10:42-0300\n"
+"POT-Creation-Date: 2011-10-18 13:34-0300\n"
 "PO-Revision-Date: 2011-08-05 11:40+0000\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Norwegian Nynorsk (http://www.transifex.net/projects/p/fedora/"
@@ -53,7 +53,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:41
+#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:44
 #: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21
 #: sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_useradd.8.xml:30
 #: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30
@@ -69,7 +69,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:39 pam_sss.8.xml:48 sssd.8.xml:42 sss_obfuscate.8.xml:58
+#: sss_groupmod.8.xml:39 pam_sss.8.xml:51 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
 msgid "OPTIONS"
@@ -105,10 +105,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1106 sssd-ldap.5.xml:1432
-#: pam_sss.8.xml:128 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
+#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1130 sssd-ldap.5.xml:1432
+#: pam_sss.8.xml:139 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
 #: sssd-ipa.5.xml:248 sssd.8.xml:166 sss_obfuscate.8.xml:103
-#: sss_useradd.8.xml:167 sssd-krb5.5.xml:424 sss_groupadd.8.xml:58
+#: sss_useradd.8.xml:167 sssd-krb5.5.xml:427 sss_groupadd.8.xml:58
 #: sss_userdel.8.xml:93 sss_groupdel.8.xml:46 sss_groupshow.8.xml:58
 #: sss_usermod.8.xml:138
 msgid "SEE ALSO"
@@ -214,7 +214,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:70 sssd.conf.5.xml:952
+#: sssd.conf.5.xml:70 sssd.conf.5.xml:976
 msgid "Section parameters"
 msgstr ""
 
@@ -247,19 +247,19 @@ msgid "Supported services: nss, pam"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:93 sssd.conf.5.xml:234
+#: sssd.conf.5.xml:93 sssd.conf.5.xml:254
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:96 sssd.conf.5.xml:237
+#: sssd.conf.5.xml:96 sssd.conf.5.xml:257
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:101 sssd.conf.5.xml:242
+#: sssd.conf.5.xml:101 sssd.conf.5.xml:262
 msgid "Default: 3"
 msgstr ""
 
@@ -366,6 +366,32 @@ msgid ""
 "unavailable. On these platforms, polling will always be used."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:189
+msgid "krb5_rcache_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:192
+msgid ""
+"Directory on the filesystem where SSSD should store Kerberos replay cache "
+"files."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:196
+msgid ""
+"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
+"SSSD to let libkrb5 decide the appropriate location for the replay cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:202
+msgid ""
+"Default: Distribution-specific and specified at build-time. "
+"(__LIBKRB5_DEFAULTS__ if not configured)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:63
 msgid ""
@@ -378,12 +404,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:195
+#: sssd.conf.5.xml:215
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:197
+#: sssd.conf.5.xml:217
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -392,55 +418,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:204
+#: sssd.conf.5.xml:224
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:206
+#: sssd.conf.5.xml:226
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:210
+#: sssd.conf.5.xml:230
 msgid "debug_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:213
+#: sssd.conf.5.xml:233
 msgid ""
 "Sets the debug level for the service. The value can be in range from 0 (only "
 "critical messages) to 10 (very verbose)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:218 sssd.conf.5.xml:312
+#: sssd.conf.5.xml:238 sssd.conf.5.xml:332
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:223 sssd.8.xml:58
+#: sssd.conf.5.xml:243 sssd.8.xml:58
 msgid "debug_timestamps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:226 sssd.8.xml:61
+#: sssd.conf.5.xml:246 sssd.8.xml:61
 msgid "Add a timestamp to the debug messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:229 sssd.conf.5.xml:353 sssd-ldap.5.xml:1058
+#: sssd.conf.5.xml:249 sssd.conf.5.xml:373 sssd-ldap.5.xml:1058
 #: sssd-ldap.5.xml:1163 sssd-ipa.5.xml:155
 msgid "Default: true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:247
+#: sssd.conf.5.xml:267
 msgid "command (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:250
+#: sssd.conf.5.xml:270
 msgid ""
 "By default, the executable representing this service is called <command>sssd_"
 "${service_name}</command>.  This directive allows to change the executable "
@@ -449,45 +475,45 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:258
+#: sssd.conf.5.xml:278
 msgid "Default: <command>sssd_${service_name}</command>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:266
+#: sssd.conf.5.xml:286
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:268
+#: sssd.conf.5.xml:288
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:273
+#: sssd.conf.5.xml:293
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:276
+#: sssd.conf.5.xml:296
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:280
+#: sssd.conf.5.xml:300
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:285
+#: sssd.conf.5.xml:305
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:288
+#: sssd.conf.5.xml:308
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -495,7 +521,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:294
+#: sssd.conf.5.xml:314
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -505,7 +531,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304
+#: sssd.conf.5.xml:324
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -514,12 +540,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:317
+#: sssd.conf.5.xml:337
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:320
+#: sssd.conf.5.xml:340
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -527,17 +553,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:326 sssd-krb5.5.xml:223
+#: sssd.conf.5.xml:346 sssd-krb5.5.xml:223
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:331
+#: sssd.conf.5.xml:351
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:334
+#: sssd.conf.5.xml:354
 msgid ""
 "Exclude certain users from being fetched from the sss NSS database. This is "
 "particularly useful for system accounts. This option can also be set per-"
@@ -546,78 +572,78 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:341
+#: sssd.conf.5.xml:361
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:346
+#: sssd.conf.5.xml:366
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:369
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:358
+#: sssd.conf.5.xml:378
 msgid "override_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:367 sssd-krb5.5.xml:166
+#: sssd.conf.5.xml:387 sssd-krb5.5.xml:166
 msgid "%u"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:368 sssd-krb5.5.xml:167
+#: sssd.conf.5.xml:388 sssd-krb5.5.xml:167
 msgid "login name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:371 sssd-krb5.5.xml:170
+#: sssd.conf.5.xml:391 sssd-krb5.5.xml:170
 msgid "%U"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:392
 msgid "UID number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:375 sssd-krb5.5.xml:188
+#: sssd.conf.5.xml:395 sssd-krb5.5.xml:188
 msgid "%d"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:376
+#: sssd.conf.5.xml:396
 msgid "domain name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:379
+#: sssd.conf.5.xml:399
 msgid "%f"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:380
+#: sssd.conf.5.xml:400
 msgid "fully qualified user name (user@domain)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:383 sssd-krb5.5.xml:200
+#: sssd.conf.5.xml:403 sssd-krb5.5.xml:200
 msgid "%%"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:384 sssd-krb5.5.xml:201
+#: sssd.conf.5.xml:404 sssd-krb5.5.xml:201
 msgid "a literal '%'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:361
+#: sssd.conf.5.xml:381
 msgid ""
 "Override the user's home directory. You can either provide an absolute value "
 "or a template. In the template, the following sequences are substituted: "
@@ -625,138 +651,138 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:390
+#: sssd.conf.5.xml:410
 msgid "This option can also be set per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:395
+#: sssd.conf.5.xml:415
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:398
+#: sssd.conf.5.xml:418
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:401
+#: sssd.conf.5.xml:421
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:405
+#: sssd.conf.5.xml:425
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:410
+#: sssd.conf.5.xml:430
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:415
+#: sssd.conf.5.xml:435
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:418
+#: sssd.conf.5.xml:438
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:422
+#: sssd.conf.5.xml:442
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:427
+#: sssd.conf.5.xml:447
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:430
+#: sssd.conf.5.xml:450
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:435
+#: sssd.conf.5.xml:455
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:438
+#: sssd.conf.5.xml:458
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:442
+#: sssd.conf.5.xml:462
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:469
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:451
+#: sssd.conf.5.xml:471
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:456
+#: sssd.conf.5.xml:476
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:459
+#: sssd.conf.5.xml:479
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:464 sssd.conf.5.xml:477
+#: sssd.conf.5.xml:484 sssd.conf.5.xml:497
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:490
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:473
+#: sssd.conf.5.xml:493
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:483
+#: sssd.conf.5.xml:503
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:506
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:491
+#: sssd.conf.5.xml:511
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -764,59 +790,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:497 sssd.conf.5.xml:550 sssd.conf.5.xml:882
+#: sssd.conf.5.xml:517 sssd.conf.5.xml:570 sssd.conf.5.xml:906
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:523
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:506
+#: sssd.conf.5.xml:526
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:511
+#: sssd.conf.5.xml:531
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:514
+#: sssd.conf.5.xml:534
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:517
+#: sssd.conf.5.xml:537
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:541
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:524
+#: sssd.conf.5.xml:544
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:528
+#: sssd.conf.5.xml:548
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:533
+#: sssd.conf.5.xml:553
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:536
+#: sssd.conf.5.xml:556
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -824,7 +850,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:542
+#: sssd.conf.5.xml:562
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -833,17 +859,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:556
+#: sssd.conf.5.xml:576
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:559
+#: sssd.conf.5.xml:579
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:562
+#: sssd.conf.5.xml:582
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -851,29 +877,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:588
 msgid "Default: 7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:577
+#: sssd.conf.5.xml:597
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:584
+#: sssd.conf.5.xml:604
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:587
+#: sssd.conf.5.xml:607
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:592
+#: sssd.conf.5.xml:612
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -882,56 +908,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:599
+#: sssd.conf.5.xml:619
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:625
 msgid "timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:608
+#: sssd.conf.5.xml:628
 msgid ""
 "Timeout in seconds between heartbeats for this domain.  This is used to "
 "ensure that the backend process is alive and capable of answering requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:633
 msgid "Default: 10"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:639
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:642
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:626
+#: sssd.conf.5.xml:646
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:629
+#: sssd.conf.5.xml:649
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:632 sssd.conf.5.xml:680 sssd.conf.5.xml:734
+#: sssd.conf.5.xml:652 sssd.conf.5.xml:704 sssd.conf.5.xml:758
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:635
+#: sssd.conf.5.xml:655
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -941,14 +967,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:645
+#: sssd.conf.5.xml:665
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:650
+#: sssd.conf.5.xml:670
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -957,39 +983,44 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:661
+#: sssd.conf.5.xml:681
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:664
+#: sssd.conf.5.xml:684
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:688
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:693
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676
+#: sssd.conf.5.xml:696
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:700
+msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:685
+#: sssd.conf.5.xml:709
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:688
+#: sssd.conf.5.xml:712
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -998,47 +1029,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:695
+#: sssd.conf.5.xml:719
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:725
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:728
 msgid "The Data Provider identity backend to use for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:708
+#: sssd.conf.5.xml:732
 msgid "Supported backends:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:711
+#: sssd.conf.5.xml:735
 msgid "proxy: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:714
+#: sssd.conf.5.xml:738
 msgid "local: SSSD internal local provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:717
+#: sssd.conf.5.xml:741
 msgid "ldap: LDAP provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:747
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:750
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -1047,19 +1078,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:739
+#: sssd.conf.5.xml:763
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:766
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:746
+#: sssd.conf.5.xml:770
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1067,7 +1098,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:777
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1075,30 +1106,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:784
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:787
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:766
+#: sssd.conf.5.xml:790
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:796
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:775
+#: sssd.conf.5.xml:799
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -1106,17 +1137,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:781
+#: sssd.conf.5.xml:805
 msgid "<quote>permit</quote> always allow access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:784
+#: sssd.conf.5.xml:808
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:811
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -1125,24 +1156,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:818
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:823
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:826
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:831
 msgid ""
 "<quote>ipa</quote> to change a password stored in an IPA server.  See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -1150,7 +1181,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:815
+#: sssd.conf.5.xml:839
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -1158,7 +1189,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:823
+#: sssd.conf.5.xml:847
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1166,72 +1197,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:831
+#: sssd.conf.5.xml:855
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:835
+#: sssd.conf.5.xml:859
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838
+#: sssd.conf.5.xml:862
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:845
+#: sssd.conf.5.xml:869
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:848
+#: sssd.conf.5.xml:872
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:876
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:855
+#: sssd.conf.5.xml:879
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:858
+#: sssd.conf.5.xml:882
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:861
+#: sssd.conf.5.xml:885
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:864
+#: sssd.conf.5.xml:888
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:867
+#: sssd.conf.5.xml:891
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:873
+#: sssd.conf.5.xml:897
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:876
+#: sssd.conf.5.xml:900
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -1239,34 +1270,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:912
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:891
+#: sssd.conf.5.xml:915
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:919
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:901
+#: sssd.conf.5.xml:925
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:904
+#: sssd.conf.5.xml:928
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:579
+#: sssd.conf.5.xml:599
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -1274,29 +1305,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:940
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:943
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:922
+#: sssd.conf.5.xml:946
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:954
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:933
+#: sssd.conf.5.xml:957
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -1304,19 +1335,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:912
+#: sssd.conf.5.xml:936
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:945
+#: sssd.conf.5.xml:969
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:971
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -1324,73 +1355,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:954
+#: sssd.conf.5.xml:978
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:981
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:985
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:966
+#: sssd.conf.5.xml:990
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:969
+#: sssd.conf.5.xml:993
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974
+#: sssd.conf.5.xml:998
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1003
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1006
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986 sssd.conf.5.xml:998
+#: sssd.conf.5.xml:1010 sssd.conf.5.xml:1022
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:991
+#: sssd.conf.5.xml:1015
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:994
+#: sssd.conf.5.xml:1018
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1003
+#: sssd.conf.5.xml:1027
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1030
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -1398,17 +1429,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014
+#: sssd.conf.5.xml:1038
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1043
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1022
+#: sssd.conf.5.xml:1046
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -1417,17 +1448,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:1056
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1037
+#: sssd.conf.5.xml:1061
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1040
+#: sssd.conf.5.xml:1064
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -1435,17 +1466,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1047
+#: sssd.conf.5.xml:1071
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1076
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1055
+#: sssd.conf.5.xml:1079
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -1453,18 +1484,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1061
+#: sssd.conf.5.xml:1085
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1071 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
-#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:405
+#: sssd.conf.5.xml:1095 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
+#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:408
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:1077
+#: sssd.conf.5.xml:1101
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -1494,7 +1525,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1073
+#: sssd.conf.5.xml:1097
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -1503,7 +1534,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1108
+#: sssd.conf.5.xml:1132
 msgid ""
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
@@ -1603,10 +1634,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:88
 msgid ""
-"Specifies the list of URIs of the LDAP servers to which SSSD should connect "
-"in the order of preference to change the password of a user. Refer to the "
-"<quote>FAILOVER</quote> section for more information on failover and server "
-"redundancy."
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference to change the password of a user. "
+"Refer to the <quote>FAILOVER</quote> section for more information on "
+"failover and server redundancy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -2086,7 +2117,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:519 sssd-ldap.5.xml:990 sssd-ipa.5.xml:115 sssd.8.xml:64
-#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:266
+#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:269
 msgid "Default: false"
 msgstr ""
 
@@ -2527,7 +2558,7 @@ msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:356
+#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:359
 msgid "Default: not set"
 msgstr ""
 
@@ -2668,12 +2699,13 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:1080 sssd-krb5.5.xml:77
 msgid ""
-"Specifies the list of IP addresses or hostnames of the Kerberos servers to "
-"which SSSD should connect in the order of preference. For more information "
-"on failover and server redundancy, see the <quote>FAILOVER</quote> section. "
-"An optional port number (preceded by a colon) may be appended to the "
-"addresses or hostnames.  If empty, service discovery is enabled - for more "
-"information, refer to the <quote>SERVICE DISCOVERY</quote> section."
+"Specifies the comma-separated list of IP addresses or hostnames of the "
+"Kerberos servers to which SSSD should connect in the order of preference. "
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
+"colon) may be appended to the addresses or hostnames.  If empty, service "
+"discovery is enabled - for more information, refer to the <quote>SERVICE "
+"DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -3058,7 +3090,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ldap.5.xml:1407 sssd-simple.5.xml:134 sssd-ipa.5.xml:238
-#: sssd-krb5.5.xml:414
+#: sssd-krb5.5.xml:417
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -3105,7 +3137,8 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
 #: pam_sss.8.xml:24
 msgid ""
-"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>forward_pass</"
+"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
@@ -3113,7 +3146,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:42
+#: pam_sss.8.xml:45
 msgid ""
 "<command>pam_sss.so</command> is the PAM interface to the System Security "
 "Services daemon (SSSD). Errors and results are logged through <command>syslog"
@@ -3121,24 +3154,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:52
+#: pam_sss.8.xml:55
+msgid "<option>quiet</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:58
+msgid "Suppress log messages for unknown users."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:63
 msgid "<option>forward_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:55
+#: pam_sss.8.xml:66
 msgid ""
 "If <option>forward_pass</option> is set the entered password is put on the "
 "stack for other PAM modules to use."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:62
+#: pam_sss.8.xml:73
 msgid "<option>use_first_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:65
+#: pam_sss.8.xml:76
 msgid ""
 "The argument use_first_pass forces the module to use a previous stacked "
 "modules password and will never prompt the user - if no password is "
@@ -3146,31 +3189,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:73
+#: pam_sss.8.xml:84
 msgid "<option>use_authtok</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:76
+#: pam_sss.8.xml:87
 msgid ""
 "When password changing enforce the module to set the new password to the one "
 "provided by a previously stacked password module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:83
+#: pam_sss.8.xml:94
 msgid "<option>retry=N</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:86
+#: pam_sss.8.xml:97
 msgid ""
 "If specified the user is asked another N times for a password if "
 "authentication fails. Default is 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:88
+#: pam_sss.8.xml:99
 msgid ""
 "Please note that this option might not work as expected if the application "
 "calling PAM handles the user dialog on its own. A typical example is "
@@ -3178,24 +3221,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:99
+#: pam_sss.8.xml:110
 msgid "MODULE TYPES PROVIDED"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:100
+#: pam_sss.8.xml:111
 msgid ""
 "All module types (<option>account</option>, <option>auth</option>, "
 "<option>password</option> and <option>session</option>) are provided."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:106
+#: pam_sss.8.xml:117
 msgid "FILES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:107
+#: pam_sss.8.xml:118
 msgid ""
 "If a password reset by root fails, because the corresponding SSSD provider "
 "does not support password resets, an individual message can be displayed. "
@@ -3203,7 +3246,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:112
+#: pam_sss.8.xml:123
 msgid ""
 "The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
 "filename> where LOC stands for a locale string returned by <citerefentry> "
@@ -3215,7 +3258,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:122
+#: pam_sss.8.xml:133
 msgid ""
 "These files are searched in the directory <filename>/etc/sssd/customize/"
 "DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
@@ -3223,7 +3266,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:130
+#: pam_sss.8.xml:141
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>8</"
 "manvolnum> </citerefentry>"
@@ -3483,11 +3526,11 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ipa.5.xml:83
 msgid ""
-"The list of IP addresses or hostnames of the IPA servers to which SSSD "
-"should connect in the order of preference. For more information on failover "
-"and server redundancy, see the <quote>FAILOVER</quote> section.  This is "
-"optional if autodiscovery is enabled.  For more information on service "
-"discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
+"The comma-separated list of IP addresses or hostnames of the IPA servers to "
+"which SSSD should connect in the order of preference. For more information "
+"on failover and server redundancy, see the <quote>FAILOVER</quote> section.  "
+"This is optional if autodiscovery is enabled.  For more information on "
+"service discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
@@ -4303,48 +4346,50 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:262
 msgid ""
-"Please note that this feature currently only available on a Linux platform."
+"Please note that this feature currently only available on a Linux platform. "
+"Passwords stored in this way are kept in plaintext in the kernel keyring and "
+"are potentially accessible by the root user (with difficulty)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:272
+#: sssd-krb5.5.xml:275
 msgid "krb5_renewable_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:275
+#: sssd-krb5.5.xml:278
 msgid ""
 "Request a renewable ticket with a total lifetime given by an integer "
 "immediately followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:280 sssd-krb5.5.xml:316
+#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
 msgid "<emphasis>s</emphasis> seconds"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
+#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
 msgid "<emphasis>m</emphasis> minutes"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
+#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
 msgid "<emphasis>h</emphasis> hours"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
+#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
 msgid "<emphasis>d</emphasis> days."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
+#: sssd-krb5.5.xml:295 sssd-krb5.5.xml:331
 msgid "If there is no delimiter <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:296
+#: sssd-krb5.5.xml:299
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "renewable lifetime to one and a half hours please use '90m' instead of "
@@ -4352,97 +4397,97 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:302
+#: sssd-krb5.5.xml:305
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:308
+#: sssd-krb5.5.xml:311
 msgid "krb5_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:311
+#: sssd-krb5.5.xml:314
 msgid ""
 "Request ticket with a with a lifetime given by an integer immediately "
 "followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:332
+#: sssd-krb5.5.xml:335
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "lifetime to one and a half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:337
+#: sssd-krb5.5.xml:340
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:344
+#: sssd-krb5.5.xml:347
 msgid "krb5_renew_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:347
+#: sssd-krb5.5.xml:350
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:352
+#: sssd-krb5.5.xml:355
 msgid "If this option is not set or 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:362
+#: sssd-krb5.5.xml:365
 msgid "krb5_use_fast (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:365
+#: sssd-krb5.5.xml:368
 msgid ""
 "Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
 "authentication. The following options are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:370
+#: sssd-krb5.5.xml:373
 msgid ""
 "<emphasis>never</emphasis> use FAST, this is equivalent to not set this "
 "option at all."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:374
+#: sssd-krb5.5.xml:377
 msgid ""
 "<emphasis>try</emphasis> to use FAST, if the server does not support fast "
 "continue without."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:378
+#: sssd-krb5.5.xml:381
 msgid ""
 "<emphasis>demand</emphasis> to use FAST, fail if the server does not require "
 "fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:382
+#: sssd-krb5.5.xml:385
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:385
+#: sssd-krb5.5.xml:388
 msgid "Please note that a keytab is required to use fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:388
+#: sssd-krb5.5.xml:391
 msgid ""
 "Please note also that sssd supports fast only with MIT Kerberos version 1.8 "
 "and above. If sssd used used with an older version using this option is a "
@@ -4460,7 +4505,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:407
+#: sssd-krb5.5.xml:410
 msgid ""
 "The following example assumes that SSSD is correctly configured and FOO is "
 "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
@@ -4469,7 +4514,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-krb5.5.xml:415
+#: sssd-krb5.5.xml:418
 #, no-wrap
 msgid ""
 "    [domain/FOO]\n"
@@ -4479,7 +4524,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:426
+#: sssd-krb5.5.xml:429
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
diff --git a/src/man/po/or.po b/src/man/po/or.po
index c9eff89a..993f2114 100644
--- a/src/man/po/or.po
+++ b/src/man/po/or.po
@@ -2,12 +2,13 @@
 # Copyright (C) YEAR Red Hat
 # This file is distributed under the same license as the sssd-docs package.
 #
+# Translators:
 msgid ""
 msgstr ""
 "Project-Id-Version: SSSD\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2011-08-29 10:42-0300\n"
-"PO-Revision-Date: 2011-08-05 11:41+0000\n"
+"POT-Creation-Date: 2011-10-18 13:34-0300\n"
+"PO-Revision-Date: 2010-12-23 15:35+0000\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Oriya (http://www.transifex.net/projects/p/fedora/team/or/)\n"
 "Language: or\n"
@@ -52,7 +53,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:41
+#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:44
 #: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21
 #: sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_useradd.8.xml:30
 #: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30
@@ -68,7 +69,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:39 pam_sss.8.xml:48 sssd.8.xml:42 sss_obfuscate.8.xml:58
+#: sss_groupmod.8.xml:39 pam_sss.8.xml:51 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
 msgid "OPTIONS"
@@ -104,10 +105,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1106 sssd-ldap.5.xml:1432
-#: pam_sss.8.xml:128 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
+#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1130 sssd-ldap.5.xml:1432
+#: pam_sss.8.xml:139 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
 #: sssd-ipa.5.xml:248 sssd.8.xml:166 sss_obfuscate.8.xml:103
-#: sss_useradd.8.xml:167 sssd-krb5.5.xml:424 sss_groupadd.8.xml:58
+#: sss_useradd.8.xml:167 sssd-krb5.5.xml:427 sss_groupadd.8.xml:58
 #: sss_userdel.8.xml:93 sss_groupdel.8.xml:46 sss_groupshow.8.xml:58
 #: sss_usermod.8.xml:138
 msgid "SEE ALSO"
@@ -213,7 +214,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:70 sssd.conf.5.xml:952
+#: sssd.conf.5.xml:70 sssd.conf.5.xml:976
 msgid "Section parameters"
 msgstr ""
 
@@ -246,19 +247,19 @@ msgid "Supported services: nss, pam"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:93 sssd.conf.5.xml:234
+#: sssd.conf.5.xml:93 sssd.conf.5.xml:254
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:96 sssd.conf.5.xml:237
+#: sssd.conf.5.xml:96 sssd.conf.5.xml:257
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:101 sssd.conf.5.xml:242
+#: sssd.conf.5.xml:101 sssd.conf.5.xml:262
 msgid "Default: 3"
 msgstr ""
 
@@ -365,6 +366,32 @@ msgid ""
 "unavailable. On these platforms, polling will always be used."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:189
+msgid "krb5_rcache_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:192
+msgid ""
+"Directory on the filesystem where SSSD should store Kerberos replay cache "
+"files."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:196
+msgid ""
+"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
+"SSSD to let libkrb5 decide the appropriate location for the replay cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:202
+msgid ""
+"Default: Distribution-specific and specified at build-time. "
+"(__LIBKRB5_DEFAULTS__ if not configured)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:63
 msgid ""
@@ -377,12 +404,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:195
+#: sssd.conf.5.xml:215
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:197
+#: sssd.conf.5.xml:217
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -391,55 +418,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:204
+#: sssd.conf.5.xml:224
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:206
+#: sssd.conf.5.xml:226
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:210
+#: sssd.conf.5.xml:230
 msgid "debug_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:213
+#: sssd.conf.5.xml:233
 msgid ""
 "Sets the debug level for the service. The value can be in range from 0 (only "
 "critical messages) to 10 (very verbose)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:218 sssd.conf.5.xml:312
+#: sssd.conf.5.xml:238 sssd.conf.5.xml:332
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:223 sssd.8.xml:58
+#: sssd.conf.5.xml:243 sssd.8.xml:58
 msgid "debug_timestamps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:226 sssd.8.xml:61
+#: sssd.conf.5.xml:246 sssd.8.xml:61
 msgid "Add a timestamp to the debug messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:229 sssd.conf.5.xml:353 sssd-ldap.5.xml:1058
+#: sssd.conf.5.xml:249 sssd.conf.5.xml:373 sssd-ldap.5.xml:1058
 #: sssd-ldap.5.xml:1163 sssd-ipa.5.xml:155
 msgid "Default: true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:247
+#: sssd.conf.5.xml:267
 msgid "command (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:250
+#: sssd.conf.5.xml:270
 msgid ""
 "By default, the executable representing this service is called <command>sssd_"
 "${service_name}</command>.  This directive allows to change the executable "
@@ -448,45 +475,45 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:258
+#: sssd.conf.5.xml:278
 msgid "Default: <command>sssd_${service_name}</command>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:266
+#: sssd.conf.5.xml:286
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:268
+#: sssd.conf.5.xml:288
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:273
+#: sssd.conf.5.xml:293
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:276
+#: sssd.conf.5.xml:296
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:280
+#: sssd.conf.5.xml:300
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:285
+#: sssd.conf.5.xml:305
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:288
+#: sssd.conf.5.xml:308
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -494,7 +521,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:294
+#: sssd.conf.5.xml:314
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -504,7 +531,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304
+#: sssd.conf.5.xml:324
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -513,12 +540,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:317
+#: sssd.conf.5.xml:337
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:320
+#: sssd.conf.5.xml:340
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -526,17 +553,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:326 sssd-krb5.5.xml:223
+#: sssd.conf.5.xml:346 sssd-krb5.5.xml:223
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:331
+#: sssd.conf.5.xml:351
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:334
+#: sssd.conf.5.xml:354
 msgid ""
 "Exclude certain users from being fetched from the sss NSS database. This is "
 "particularly useful for system accounts. This option can also be set per-"
@@ -545,78 +572,78 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:341
+#: sssd.conf.5.xml:361
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:346
+#: sssd.conf.5.xml:366
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:369
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:358
+#: sssd.conf.5.xml:378
 msgid "override_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:367 sssd-krb5.5.xml:166
+#: sssd.conf.5.xml:387 sssd-krb5.5.xml:166
 msgid "%u"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:368 sssd-krb5.5.xml:167
+#: sssd.conf.5.xml:388 sssd-krb5.5.xml:167
 msgid "login name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:371 sssd-krb5.5.xml:170
+#: sssd.conf.5.xml:391 sssd-krb5.5.xml:170
 msgid "%U"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:392
 msgid "UID number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:375 sssd-krb5.5.xml:188
+#: sssd.conf.5.xml:395 sssd-krb5.5.xml:188
 msgid "%d"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:376
+#: sssd.conf.5.xml:396
 msgid "domain name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:379
+#: sssd.conf.5.xml:399
 msgid "%f"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:380
+#: sssd.conf.5.xml:400
 msgid "fully qualified user name (user@domain)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:383 sssd-krb5.5.xml:200
+#: sssd.conf.5.xml:403 sssd-krb5.5.xml:200
 msgid "%%"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:384 sssd-krb5.5.xml:201
+#: sssd.conf.5.xml:404 sssd-krb5.5.xml:201
 msgid "a literal '%'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:361
+#: sssd.conf.5.xml:381
 msgid ""
 "Override the user's home directory. You can either provide an absolute value "
 "or a template. In the template, the following sequences are substituted: "
@@ -624,138 +651,138 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:390
+#: sssd.conf.5.xml:410
 msgid "This option can also be set per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:395
+#: sssd.conf.5.xml:415
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:398
+#: sssd.conf.5.xml:418
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:401
+#: sssd.conf.5.xml:421
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:405
+#: sssd.conf.5.xml:425
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:410
+#: sssd.conf.5.xml:430
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:415
+#: sssd.conf.5.xml:435
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:418
+#: sssd.conf.5.xml:438
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:422
+#: sssd.conf.5.xml:442
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:427
+#: sssd.conf.5.xml:447
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:430
+#: sssd.conf.5.xml:450
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:435
+#: sssd.conf.5.xml:455
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:438
+#: sssd.conf.5.xml:458
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:442
+#: sssd.conf.5.xml:462
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:469
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:451
+#: sssd.conf.5.xml:471
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:456
+#: sssd.conf.5.xml:476
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:459
+#: sssd.conf.5.xml:479
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:464 sssd.conf.5.xml:477
+#: sssd.conf.5.xml:484 sssd.conf.5.xml:497
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:490
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:473
+#: sssd.conf.5.xml:493
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:483
+#: sssd.conf.5.xml:503
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:506
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:491
+#: sssd.conf.5.xml:511
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -763,59 +790,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:497 sssd.conf.5.xml:550 sssd.conf.5.xml:882
+#: sssd.conf.5.xml:517 sssd.conf.5.xml:570 sssd.conf.5.xml:906
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:523
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:506
+#: sssd.conf.5.xml:526
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:511
+#: sssd.conf.5.xml:531
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:514
+#: sssd.conf.5.xml:534
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:517
+#: sssd.conf.5.xml:537
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:541
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:524
+#: sssd.conf.5.xml:544
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:528
+#: sssd.conf.5.xml:548
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:533
+#: sssd.conf.5.xml:553
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:536
+#: sssd.conf.5.xml:556
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -823,7 +850,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:542
+#: sssd.conf.5.xml:562
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -832,17 +859,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:556
+#: sssd.conf.5.xml:576
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:559
+#: sssd.conf.5.xml:579
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:562
+#: sssd.conf.5.xml:582
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -850,29 +877,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:588
 msgid "Default: 7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:577
+#: sssd.conf.5.xml:597
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:584
+#: sssd.conf.5.xml:604
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:587
+#: sssd.conf.5.xml:607
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:592
+#: sssd.conf.5.xml:612
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -881,56 +908,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:599
+#: sssd.conf.5.xml:619
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:625
 msgid "timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:608
+#: sssd.conf.5.xml:628
 msgid ""
 "Timeout in seconds between heartbeats for this domain.  This is used to "
 "ensure that the backend process is alive and capable of answering requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:633
 msgid "Default: 10"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:639
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:642
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:626
+#: sssd.conf.5.xml:646
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:629
+#: sssd.conf.5.xml:649
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:632 sssd.conf.5.xml:680 sssd.conf.5.xml:734
+#: sssd.conf.5.xml:652 sssd.conf.5.xml:704 sssd.conf.5.xml:758
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:635
+#: sssd.conf.5.xml:655
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -940,14 +967,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:645
+#: sssd.conf.5.xml:665
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:650
+#: sssd.conf.5.xml:670
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -956,39 +983,44 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:661
+#: sssd.conf.5.xml:681
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:664
+#: sssd.conf.5.xml:684
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:688
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:693
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676
+#: sssd.conf.5.xml:696
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:700
+msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:685
+#: sssd.conf.5.xml:709
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:688
+#: sssd.conf.5.xml:712
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -997,47 +1029,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:695
+#: sssd.conf.5.xml:719
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:725
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:728
 msgid "The Data Provider identity backend to use for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:708
+#: sssd.conf.5.xml:732
 msgid "Supported backends:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:711
+#: sssd.conf.5.xml:735
 msgid "proxy: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:714
+#: sssd.conf.5.xml:738
 msgid "local: SSSD internal local provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:717
+#: sssd.conf.5.xml:741
 msgid "ldap: LDAP provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:747
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:750
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -1046,19 +1078,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:739
+#: sssd.conf.5.xml:763
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:766
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:746
+#: sssd.conf.5.xml:770
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1066,7 +1098,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:777
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1074,30 +1106,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:784
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:787
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:766
+#: sssd.conf.5.xml:790
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:796
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:775
+#: sssd.conf.5.xml:799
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -1105,17 +1137,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:781
+#: sssd.conf.5.xml:805
 msgid "<quote>permit</quote> always allow access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:784
+#: sssd.conf.5.xml:808
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:811
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -1124,24 +1156,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:818
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:823
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:826
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:831
 msgid ""
 "<quote>ipa</quote> to change a password stored in an IPA server.  See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -1149,7 +1181,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:815
+#: sssd.conf.5.xml:839
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -1157,7 +1189,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:823
+#: sssd.conf.5.xml:847
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1165,72 +1197,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:831
+#: sssd.conf.5.xml:855
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:835
+#: sssd.conf.5.xml:859
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838
+#: sssd.conf.5.xml:862
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:845
+#: sssd.conf.5.xml:869
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:848
+#: sssd.conf.5.xml:872
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:876
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:855
+#: sssd.conf.5.xml:879
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:858
+#: sssd.conf.5.xml:882
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:861
+#: sssd.conf.5.xml:885
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:864
+#: sssd.conf.5.xml:888
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:867
+#: sssd.conf.5.xml:891
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:873
+#: sssd.conf.5.xml:897
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:876
+#: sssd.conf.5.xml:900
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -1238,34 +1270,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:912
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:891
+#: sssd.conf.5.xml:915
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:919
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:901
+#: sssd.conf.5.xml:925
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:904
+#: sssd.conf.5.xml:928
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:579
+#: sssd.conf.5.xml:599
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -1273,29 +1305,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:940
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:943
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:922
+#: sssd.conf.5.xml:946
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:954
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:933
+#: sssd.conf.5.xml:957
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -1303,19 +1335,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:912
+#: sssd.conf.5.xml:936
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:945
+#: sssd.conf.5.xml:969
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:971
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -1323,73 +1355,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:954
+#: sssd.conf.5.xml:978
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:981
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:985
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:966
+#: sssd.conf.5.xml:990
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:969
+#: sssd.conf.5.xml:993
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974
+#: sssd.conf.5.xml:998
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1003
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1006
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986 sssd.conf.5.xml:998
+#: sssd.conf.5.xml:1010 sssd.conf.5.xml:1022
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:991
+#: sssd.conf.5.xml:1015
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:994
+#: sssd.conf.5.xml:1018
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1003
+#: sssd.conf.5.xml:1027
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1030
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -1397,17 +1429,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014
+#: sssd.conf.5.xml:1038
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1043
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1022
+#: sssd.conf.5.xml:1046
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -1416,17 +1448,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:1056
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1037
+#: sssd.conf.5.xml:1061
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1040
+#: sssd.conf.5.xml:1064
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -1434,17 +1466,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1047
+#: sssd.conf.5.xml:1071
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1076
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1055
+#: sssd.conf.5.xml:1079
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -1452,18 +1484,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1061
+#: sssd.conf.5.xml:1085
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1071 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
-#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:405
+#: sssd.conf.5.xml:1095 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
+#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:408
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:1077
+#: sssd.conf.5.xml:1101
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -1493,7 +1525,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1073
+#: sssd.conf.5.xml:1097
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -1502,7 +1534,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1108
+#: sssd.conf.5.xml:1132
 msgid ""
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
@@ -1602,10 +1634,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:88
 msgid ""
-"Specifies the list of URIs of the LDAP servers to which SSSD should connect "
-"in the order of preference to change the password of a user. Refer to the "
-"<quote>FAILOVER</quote> section for more information on failover and server "
-"redundancy."
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference to change the password of a user. "
+"Refer to the <quote>FAILOVER</quote> section for more information on "
+"failover and server redundancy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -2085,7 +2117,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:519 sssd-ldap.5.xml:990 sssd-ipa.5.xml:115 sssd.8.xml:64
-#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:266
+#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:269
 msgid "Default: false"
 msgstr ""
 
@@ -2526,7 +2558,7 @@ msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:356
+#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:359
 msgid "Default: not set"
 msgstr ""
 
@@ -2667,12 +2699,13 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:1080 sssd-krb5.5.xml:77
 msgid ""
-"Specifies the list of IP addresses or hostnames of the Kerberos servers to "
-"which SSSD should connect in the order of preference. For more information "
-"on failover and server redundancy, see the <quote>FAILOVER</quote> section. "
-"An optional port number (preceded by a colon) may be appended to the "
-"addresses or hostnames.  If empty, service discovery is enabled - for more "
-"information, refer to the <quote>SERVICE DISCOVERY</quote> section."
+"Specifies the comma-separated list of IP addresses or hostnames of the "
+"Kerberos servers to which SSSD should connect in the order of preference. "
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
+"colon) may be appended to the addresses or hostnames.  If empty, service "
+"discovery is enabled - for more information, refer to the <quote>SERVICE "
+"DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -3057,7 +3090,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ldap.5.xml:1407 sssd-simple.5.xml:134 sssd-ipa.5.xml:238
-#: sssd-krb5.5.xml:414
+#: sssd-krb5.5.xml:417
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -3104,7 +3137,8 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
 #: pam_sss.8.xml:24
 msgid ""
-"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>forward_pass</"
+"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
@@ -3112,7 +3146,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:42
+#: pam_sss.8.xml:45
 msgid ""
 "<command>pam_sss.so</command> is the PAM interface to the System Security "
 "Services daemon (SSSD). Errors and results are logged through <command>syslog"
@@ -3120,24 +3154,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:52
+#: pam_sss.8.xml:55
+msgid "<option>quiet</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:58
+msgid "Suppress log messages for unknown users."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:63
 msgid "<option>forward_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:55
+#: pam_sss.8.xml:66
 msgid ""
 "If <option>forward_pass</option> is set the entered password is put on the "
 "stack for other PAM modules to use."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:62
+#: pam_sss.8.xml:73
 msgid "<option>use_first_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:65
+#: pam_sss.8.xml:76
 msgid ""
 "The argument use_first_pass forces the module to use a previous stacked "
 "modules password and will never prompt the user - if no password is "
@@ -3145,31 +3189,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:73
+#: pam_sss.8.xml:84
 msgid "<option>use_authtok</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:76
+#: pam_sss.8.xml:87
 msgid ""
 "When password changing enforce the module to set the new password to the one "
 "provided by a previously stacked password module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:83
+#: pam_sss.8.xml:94
 msgid "<option>retry=N</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:86
+#: pam_sss.8.xml:97
 msgid ""
 "If specified the user is asked another N times for a password if "
 "authentication fails. Default is 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:88
+#: pam_sss.8.xml:99
 msgid ""
 "Please note that this option might not work as expected if the application "
 "calling PAM handles the user dialog on its own. A typical example is "
@@ -3177,24 +3221,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:99
+#: pam_sss.8.xml:110
 msgid "MODULE TYPES PROVIDED"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:100
+#: pam_sss.8.xml:111
 msgid ""
 "All module types (<option>account</option>, <option>auth</option>, "
 "<option>password</option> and <option>session</option>) are provided."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:106
+#: pam_sss.8.xml:117
 msgid "FILES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:107
+#: pam_sss.8.xml:118
 msgid ""
 "If a password reset by root fails, because the corresponding SSSD provider "
 "does not support password resets, an individual message can be displayed. "
@@ -3202,7 +3246,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:112
+#: pam_sss.8.xml:123
 msgid ""
 "The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
 "filename> where LOC stands for a locale string returned by <citerefentry> "
@@ -3214,7 +3258,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:122
+#: pam_sss.8.xml:133
 msgid ""
 "These files are searched in the directory <filename>/etc/sssd/customize/"
 "DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
@@ -3222,7 +3266,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:130
+#: pam_sss.8.xml:141
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>8</"
 "manvolnum> </citerefentry>"
@@ -3482,11 +3526,11 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ipa.5.xml:83
 msgid ""
-"The list of IP addresses or hostnames of the IPA servers to which SSSD "
-"should connect in the order of preference. For more information on failover "
-"and server redundancy, see the <quote>FAILOVER</quote> section.  This is "
-"optional if autodiscovery is enabled.  For more information on service "
-"discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
+"The comma-separated list of IP addresses or hostnames of the IPA servers to "
+"which SSSD should connect in the order of preference. For more information "
+"on failover and server redundancy, see the <quote>FAILOVER</quote> section.  "
+"This is optional if autodiscovery is enabled.  For more information on "
+"service discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
@@ -4302,48 +4346,50 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:262
 msgid ""
-"Please note that this feature currently only available on a Linux platform."
+"Please note that this feature currently only available on a Linux platform. "
+"Passwords stored in this way are kept in plaintext in the kernel keyring and "
+"are potentially accessible by the root user (with difficulty)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:272
+#: sssd-krb5.5.xml:275
 msgid "krb5_renewable_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:275
+#: sssd-krb5.5.xml:278
 msgid ""
 "Request a renewable ticket with a total lifetime given by an integer "
 "immediately followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:280 sssd-krb5.5.xml:316
+#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
 msgid "<emphasis>s</emphasis> seconds"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
+#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
 msgid "<emphasis>m</emphasis> minutes"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
+#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
 msgid "<emphasis>h</emphasis> hours"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
+#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
 msgid "<emphasis>d</emphasis> days."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
+#: sssd-krb5.5.xml:295 sssd-krb5.5.xml:331
 msgid "If there is no delimiter <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:296
+#: sssd-krb5.5.xml:299
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "renewable lifetime to one and a half hours please use '90m' instead of "
@@ -4351,97 +4397,97 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:302
+#: sssd-krb5.5.xml:305
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:308
+#: sssd-krb5.5.xml:311
 msgid "krb5_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:311
+#: sssd-krb5.5.xml:314
 msgid ""
 "Request ticket with a with a lifetime given by an integer immediately "
 "followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:332
+#: sssd-krb5.5.xml:335
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "lifetime to one and a half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:337
+#: sssd-krb5.5.xml:340
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:344
+#: sssd-krb5.5.xml:347
 msgid "krb5_renew_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:347
+#: sssd-krb5.5.xml:350
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:352
+#: sssd-krb5.5.xml:355
 msgid "If this option is not set or 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:362
+#: sssd-krb5.5.xml:365
 msgid "krb5_use_fast (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:365
+#: sssd-krb5.5.xml:368
 msgid ""
 "Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
 "authentication. The following options are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:370
+#: sssd-krb5.5.xml:373
 msgid ""
 "<emphasis>never</emphasis> use FAST, this is equivalent to not set this "
 "option at all."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:374
+#: sssd-krb5.5.xml:377
 msgid ""
 "<emphasis>try</emphasis> to use FAST, if the server does not support fast "
 "continue without."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:378
+#: sssd-krb5.5.xml:381
 msgid ""
 "<emphasis>demand</emphasis> to use FAST, fail if the server does not require "
 "fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:382
+#: sssd-krb5.5.xml:385
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:385
+#: sssd-krb5.5.xml:388
 msgid "Please note that a keytab is required to use fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:388
+#: sssd-krb5.5.xml:391
 msgid ""
 "Please note also that sssd supports fast only with MIT Kerberos version 1.8 "
 "and above. If sssd used used with an older version using this option is a "
@@ -4459,7 +4505,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:407
+#: sssd-krb5.5.xml:410
 msgid ""
 "The following example assumes that SSSD is correctly configured and FOO is "
 "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
@@ -4468,7 +4514,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-krb5.5.xml:415
+#: sssd-krb5.5.xml:418
 #, no-wrap
 msgid ""
 "    [domain/FOO]\n"
@@ -4478,7 +4524,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:426
+#: sssd-krb5.5.xml:429
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
diff --git a/src/man/po/pa.po b/src/man/po/pa.po
index 324b6d27..49b25682 100644
--- a/src/man/po/pa.po
+++ b/src/man/po/pa.po
@@ -2,12 +2,13 @@
 # Copyright (C) YEAR Red Hat
 # This file is distributed under the same license as the sssd-docs package.
 #
+# Translators:
 msgid ""
 msgstr ""
 "Project-Id-Version: SSSD\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2011-08-29 10:42-0300\n"
-"PO-Revision-Date: 2011-08-05 11:38+0000\n"
+"POT-Creation-Date: 2011-10-18 13:34-0300\n"
+"PO-Revision-Date: 2010-12-23 15:35+0000\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Panjabi (Punjabi) <punjabi-users@lists.sf.net>\n"
 "Language: pa\n"
@@ -52,7 +53,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:41
+#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:44
 #: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21
 #: sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_useradd.8.xml:30
 #: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30
@@ -68,7 +69,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:39 pam_sss.8.xml:48 sssd.8.xml:42 sss_obfuscate.8.xml:58
+#: sss_groupmod.8.xml:39 pam_sss.8.xml:51 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
 msgid "OPTIONS"
@@ -104,10 +105,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1106 sssd-ldap.5.xml:1432
-#: pam_sss.8.xml:128 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
+#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1130 sssd-ldap.5.xml:1432
+#: pam_sss.8.xml:139 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
 #: sssd-ipa.5.xml:248 sssd.8.xml:166 sss_obfuscate.8.xml:103
-#: sss_useradd.8.xml:167 sssd-krb5.5.xml:424 sss_groupadd.8.xml:58
+#: sss_useradd.8.xml:167 sssd-krb5.5.xml:427 sss_groupadd.8.xml:58
 #: sss_userdel.8.xml:93 sss_groupdel.8.xml:46 sss_groupshow.8.xml:58
 #: sss_usermod.8.xml:138
 msgid "SEE ALSO"
@@ -213,7 +214,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:70 sssd.conf.5.xml:952
+#: sssd.conf.5.xml:70 sssd.conf.5.xml:976
 msgid "Section parameters"
 msgstr ""
 
@@ -246,19 +247,19 @@ msgid "Supported services: nss, pam"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:93 sssd.conf.5.xml:234
+#: sssd.conf.5.xml:93 sssd.conf.5.xml:254
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:96 sssd.conf.5.xml:237
+#: sssd.conf.5.xml:96 sssd.conf.5.xml:257
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:101 sssd.conf.5.xml:242
+#: sssd.conf.5.xml:101 sssd.conf.5.xml:262
 msgid "Default: 3"
 msgstr ""
 
@@ -365,6 +366,32 @@ msgid ""
 "unavailable. On these platforms, polling will always be used."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:189
+msgid "krb5_rcache_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:192
+msgid ""
+"Directory on the filesystem where SSSD should store Kerberos replay cache "
+"files."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:196
+msgid ""
+"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
+"SSSD to let libkrb5 decide the appropriate location for the replay cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:202
+msgid ""
+"Default: Distribution-specific and specified at build-time. "
+"(__LIBKRB5_DEFAULTS__ if not configured)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:63
 msgid ""
@@ -377,12 +404,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:195
+#: sssd.conf.5.xml:215
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:197
+#: sssd.conf.5.xml:217
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -391,55 +418,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:204
+#: sssd.conf.5.xml:224
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:206
+#: sssd.conf.5.xml:226
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:210
+#: sssd.conf.5.xml:230
 msgid "debug_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:213
+#: sssd.conf.5.xml:233
 msgid ""
 "Sets the debug level for the service. The value can be in range from 0 (only "
 "critical messages) to 10 (very verbose)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:218 sssd.conf.5.xml:312
+#: sssd.conf.5.xml:238 sssd.conf.5.xml:332
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:223 sssd.8.xml:58
+#: sssd.conf.5.xml:243 sssd.8.xml:58
 msgid "debug_timestamps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:226 sssd.8.xml:61
+#: sssd.conf.5.xml:246 sssd.8.xml:61
 msgid "Add a timestamp to the debug messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:229 sssd.conf.5.xml:353 sssd-ldap.5.xml:1058
+#: sssd.conf.5.xml:249 sssd.conf.5.xml:373 sssd-ldap.5.xml:1058
 #: sssd-ldap.5.xml:1163 sssd-ipa.5.xml:155
 msgid "Default: true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:247
+#: sssd.conf.5.xml:267
 msgid "command (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:250
+#: sssd.conf.5.xml:270
 msgid ""
 "By default, the executable representing this service is called <command>sssd_"
 "${service_name}</command>.  This directive allows to change the executable "
@@ -448,45 +475,45 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:258
+#: sssd.conf.5.xml:278
 msgid "Default: <command>sssd_${service_name}</command>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:266
+#: sssd.conf.5.xml:286
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:268
+#: sssd.conf.5.xml:288
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:273
+#: sssd.conf.5.xml:293
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:276
+#: sssd.conf.5.xml:296
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:280
+#: sssd.conf.5.xml:300
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:285
+#: sssd.conf.5.xml:305
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:288
+#: sssd.conf.5.xml:308
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -494,7 +521,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:294
+#: sssd.conf.5.xml:314
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -504,7 +531,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304
+#: sssd.conf.5.xml:324
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -513,12 +540,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:317
+#: sssd.conf.5.xml:337
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:320
+#: sssd.conf.5.xml:340
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -526,17 +553,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:326 sssd-krb5.5.xml:223
+#: sssd.conf.5.xml:346 sssd-krb5.5.xml:223
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:331
+#: sssd.conf.5.xml:351
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:334
+#: sssd.conf.5.xml:354
 msgid ""
 "Exclude certain users from being fetched from the sss NSS database. This is "
 "particularly useful for system accounts. This option can also be set per-"
@@ -545,78 +572,78 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:341
+#: sssd.conf.5.xml:361
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:346
+#: sssd.conf.5.xml:366
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:369
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:358
+#: sssd.conf.5.xml:378
 msgid "override_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:367 sssd-krb5.5.xml:166
+#: sssd.conf.5.xml:387 sssd-krb5.5.xml:166
 msgid "%u"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:368 sssd-krb5.5.xml:167
+#: sssd.conf.5.xml:388 sssd-krb5.5.xml:167
 msgid "login name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:371 sssd-krb5.5.xml:170
+#: sssd.conf.5.xml:391 sssd-krb5.5.xml:170
 msgid "%U"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:392
 msgid "UID number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:375 sssd-krb5.5.xml:188
+#: sssd.conf.5.xml:395 sssd-krb5.5.xml:188
 msgid "%d"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:376
+#: sssd.conf.5.xml:396
 msgid "domain name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:379
+#: sssd.conf.5.xml:399
 msgid "%f"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:380
+#: sssd.conf.5.xml:400
 msgid "fully qualified user name (user@domain)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:383 sssd-krb5.5.xml:200
+#: sssd.conf.5.xml:403 sssd-krb5.5.xml:200
 msgid "%%"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:384 sssd-krb5.5.xml:201
+#: sssd.conf.5.xml:404 sssd-krb5.5.xml:201
 msgid "a literal '%'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:361
+#: sssd.conf.5.xml:381
 msgid ""
 "Override the user's home directory. You can either provide an absolute value "
 "or a template. In the template, the following sequences are substituted: "
@@ -624,138 +651,138 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:390
+#: sssd.conf.5.xml:410
 msgid "This option can also be set per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:395
+#: sssd.conf.5.xml:415
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:398
+#: sssd.conf.5.xml:418
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:401
+#: sssd.conf.5.xml:421
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:405
+#: sssd.conf.5.xml:425
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:410
+#: sssd.conf.5.xml:430
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:415
+#: sssd.conf.5.xml:435
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:418
+#: sssd.conf.5.xml:438
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:422
+#: sssd.conf.5.xml:442
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:427
+#: sssd.conf.5.xml:447
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:430
+#: sssd.conf.5.xml:450
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:435
+#: sssd.conf.5.xml:455
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:438
+#: sssd.conf.5.xml:458
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:442
+#: sssd.conf.5.xml:462
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:469
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:451
+#: sssd.conf.5.xml:471
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:456
+#: sssd.conf.5.xml:476
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:459
+#: sssd.conf.5.xml:479
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:464 sssd.conf.5.xml:477
+#: sssd.conf.5.xml:484 sssd.conf.5.xml:497
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:490
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:473
+#: sssd.conf.5.xml:493
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:483
+#: sssd.conf.5.xml:503
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:506
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:491
+#: sssd.conf.5.xml:511
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -763,59 +790,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:497 sssd.conf.5.xml:550 sssd.conf.5.xml:882
+#: sssd.conf.5.xml:517 sssd.conf.5.xml:570 sssd.conf.5.xml:906
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:523
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:506
+#: sssd.conf.5.xml:526
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:511
+#: sssd.conf.5.xml:531
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:514
+#: sssd.conf.5.xml:534
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:517
+#: sssd.conf.5.xml:537
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:541
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:524
+#: sssd.conf.5.xml:544
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:528
+#: sssd.conf.5.xml:548
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:533
+#: sssd.conf.5.xml:553
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:536
+#: sssd.conf.5.xml:556
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -823,7 +850,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:542
+#: sssd.conf.5.xml:562
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -832,17 +859,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:556
+#: sssd.conf.5.xml:576
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:559
+#: sssd.conf.5.xml:579
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:562
+#: sssd.conf.5.xml:582
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -850,29 +877,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:588
 msgid "Default: 7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:577
+#: sssd.conf.5.xml:597
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:584
+#: sssd.conf.5.xml:604
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:587
+#: sssd.conf.5.xml:607
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:592
+#: sssd.conf.5.xml:612
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -881,56 +908,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:599
+#: sssd.conf.5.xml:619
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:625
 msgid "timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:608
+#: sssd.conf.5.xml:628
 msgid ""
 "Timeout in seconds between heartbeats for this domain.  This is used to "
 "ensure that the backend process is alive and capable of answering requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:633
 msgid "Default: 10"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:639
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:642
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:626
+#: sssd.conf.5.xml:646
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:629
+#: sssd.conf.5.xml:649
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:632 sssd.conf.5.xml:680 sssd.conf.5.xml:734
+#: sssd.conf.5.xml:652 sssd.conf.5.xml:704 sssd.conf.5.xml:758
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:635
+#: sssd.conf.5.xml:655
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -940,14 +967,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:645
+#: sssd.conf.5.xml:665
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:650
+#: sssd.conf.5.xml:670
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -956,39 +983,44 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:661
+#: sssd.conf.5.xml:681
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:664
+#: sssd.conf.5.xml:684
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:688
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:693
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676
+#: sssd.conf.5.xml:696
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:700
+msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:685
+#: sssd.conf.5.xml:709
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:688
+#: sssd.conf.5.xml:712
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -997,47 +1029,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:695
+#: sssd.conf.5.xml:719
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:725
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:728
 msgid "The Data Provider identity backend to use for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:708
+#: sssd.conf.5.xml:732
 msgid "Supported backends:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:711
+#: sssd.conf.5.xml:735
 msgid "proxy: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:714
+#: sssd.conf.5.xml:738
 msgid "local: SSSD internal local provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:717
+#: sssd.conf.5.xml:741
 msgid "ldap: LDAP provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:747
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:750
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -1046,19 +1078,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:739
+#: sssd.conf.5.xml:763
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:766
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:746
+#: sssd.conf.5.xml:770
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1066,7 +1098,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:777
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1074,30 +1106,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:784
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:787
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:766
+#: sssd.conf.5.xml:790
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:796
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:775
+#: sssd.conf.5.xml:799
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -1105,17 +1137,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:781
+#: sssd.conf.5.xml:805
 msgid "<quote>permit</quote> always allow access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:784
+#: sssd.conf.5.xml:808
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:811
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -1124,24 +1156,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:818
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:823
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:826
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:831
 msgid ""
 "<quote>ipa</quote> to change a password stored in an IPA server.  See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -1149,7 +1181,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:815
+#: sssd.conf.5.xml:839
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -1157,7 +1189,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:823
+#: sssd.conf.5.xml:847
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1165,72 +1197,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:831
+#: sssd.conf.5.xml:855
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:835
+#: sssd.conf.5.xml:859
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838
+#: sssd.conf.5.xml:862
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:845
+#: sssd.conf.5.xml:869
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:848
+#: sssd.conf.5.xml:872
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:876
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:855
+#: sssd.conf.5.xml:879
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:858
+#: sssd.conf.5.xml:882
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:861
+#: sssd.conf.5.xml:885
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:864
+#: sssd.conf.5.xml:888
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:867
+#: sssd.conf.5.xml:891
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:873
+#: sssd.conf.5.xml:897
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:876
+#: sssd.conf.5.xml:900
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -1238,34 +1270,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:912
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:891
+#: sssd.conf.5.xml:915
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:919
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:901
+#: sssd.conf.5.xml:925
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:904
+#: sssd.conf.5.xml:928
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:579
+#: sssd.conf.5.xml:599
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -1273,29 +1305,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:940
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:943
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:922
+#: sssd.conf.5.xml:946
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:954
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:933
+#: sssd.conf.5.xml:957
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -1303,19 +1335,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:912
+#: sssd.conf.5.xml:936
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:945
+#: sssd.conf.5.xml:969
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:971
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -1323,73 +1355,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:954
+#: sssd.conf.5.xml:978
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:981
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:985
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:966
+#: sssd.conf.5.xml:990
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:969
+#: sssd.conf.5.xml:993
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974
+#: sssd.conf.5.xml:998
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1003
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1006
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986 sssd.conf.5.xml:998
+#: sssd.conf.5.xml:1010 sssd.conf.5.xml:1022
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:991
+#: sssd.conf.5.xml:1015
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:994
+#: sssd.conf.5.xml:1018
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1003
+#: sssd.conf.5.xml:1027
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1030
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -1397,17 +1429,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014
+#: sssd.conf.5.xml:1038
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1043
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1022
+#: sssd.conf.5.xml:1046
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -1416,17 +1448,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:1056
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1037
+#: sssd.conf.5.xml:1061
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1040
+#: sssd.conf.5.xml:1064
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -1434,17 +1466,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1047
+#: sssd.conf.5.xml:1071
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1076
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1055
+#: sssd.conf.5.xml:1079
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -1452,18 +1484,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1061
+#: sssd.conf.5.xml:1085
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1071 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
-#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:405
+#: sssd.conf.5.xml:1095 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
+#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:408
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:1077
+#: sssd.conf.5.xml:1101
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -1493,7 +1525,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1073
+#: sssd.conf.5.xml:1097
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -1502,7 +1534,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1108
+#: sssd.conf.5.xml:1132
 msgid ""
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
@@ -1602,10 +1634,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:88
 msgid ""
-"Specifies the list of URIs of the LDAP servers to which SSSD should connect "
-"in the order of preference to change the password of a user. Refer to the "
-"<quote>FAILOVER</quote> section for more information on failover and server "
-"redundancy."
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference to change the password of a user. "
+"Refer to the <quote>FAILOVER</quote> section for more information on "
+"failover and server redundancy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -2085,7 +2117,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:519 sssd-ldap.5.xml:990 sssd-ipa.5.xml:115 sssd.8.xml:64
-#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:266
+#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:269
 msgid "Default: false"
 msgstr ""
 
@@ -2526,7 +2558,7 @@ msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:356
+#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:359
 msgid "Default: not set"
 msgstr ""
 
@@ -2667,12 +2699,13 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:1080 sssd-krb5.5.xml:77
 msgid ""
-"Specifies the list of IP addresses or hostnames of the Kerberos servers to "
-"which SSSD should connect in the order of preference. For more information "
-"on failover and server redundancy, see the <quote>FAILOVER</quote> section. "
-"An optional port number (preceded by a colon) may be appended to the "
-"addresses or hostnames.  If empty, service discovery is enabled - for more "
-"information, refer to the <quote>SERVICE DISCOVERY</quote> section."
+"Specifies the comma-separated list of IP addresses or hostnames of the "
+"Kerberos servers to which SSSD should connect in the order of preference. "
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
+"colon) may be appended to the addresses or hostnames.  If empty, service "
+"discovery is enabled - for more information, refer to the <quote>SERVICE "
+"DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -3057,7 +3090,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ldap.5.xml:1407 sssd-simple.5.xml:134 sssd-ipa.5.xml:238
-#: sssd-krb5.5.xml:414
+#: sssd-krb5.5.xml:417
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -3104,7 +3137,8 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
 #: pam_sss.8.xml:24
 msgid ""
-"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>forward_pass</"
+"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
@@ -3112,7 +3146,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:42
+#: pam_sss.8.xml:45
 msgid ""
 "<command>pam_sss.so</command> is the PAM interface to the System Security "
 "Services daemon (SSSD). Errors and results are logged through <command>syslog"
@@ -3120,24 +3154,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:52
+#: pam_sss.8.xml:55
+msgid "<option>quiet</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:58
+msgid "Suppress log messages for unknown users."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:63
 msgid "<option>forward_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:55
+#: pam_sss.8.xml:66
 msgid ""
 "If <option>forward_pass</option> is set the entered password is put on the "
 "stack for other PAM modules to use."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:62
+#: pam_sss.8.xml:73
 msgid "<option>use_first_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:65
+#: pam_sss.8.xml:76
 msgid ""
 "The argument use_first_pass forces the module to use a previous stacked "
 "modules password and will never prompt the user - if no password is "
@@ -3145,31 +3189,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:73
+#: pam_sss.8.xml:84
 msgid "<option>use_authtok</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:76
+#: pam_sss.8.xml:87
 msgid ""
 "When password changing enforce the module to set the new password to the one "
 "provided by a previously stacked password module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:83
+#: pam_sss.8.xml:94
 msgid "<option>retry=N</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:86
+#: pam_sss.8.xml:97
 msgid ""
 "If specified the user is asked another N times for a password if "
 "authentication fails. Default is 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:88
+#: pam_sss.8.xml:99
 msgid ""
 "Please note that this option might not work as expected if the application "
 "calling PAM handles the user dialog on its own. A typical example is "
@@ -3177,24 +3221,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:99
+#: pam_sss.8.xml:110
 msgid "MODULE TYPES PROVIDED"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:100
+#: pam_sss.8.xml:111
 msgid ""
 "All module types (<option>account</option>, <option>auth</option>, "
 "<option>password</option> and <option>session</option>) are provided."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:106
+#: pam_sss.8.xml:117
 msgid "FILES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:107
+#: pam_sss.8.xml:118
 msgid ""
 "If a password reset by root fails, because the corresponding SSSD provider "
 "does not support password resets, an individual message can be displayed. "
@@ -3202,7 +3246,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:112
+#: pam_sss.8.xml:123
 msgid ""
 "The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
 "filename> where LOC stands for a locale string returned by <citerefentry> "
@@ -3214,7 +3258,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:122
+#: pam_sss.8.xml:133
 msgid ""
 "These files are searched in the directory <filename>/etc/sssd/customize/"
 "DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
@@ -3222,7 +3266,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:130
+#: pam_sss.8.xml:141
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>8</"
 "manvolnum> </citerefentry>"
@@ -3482,11 +3526,11 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ipa.5.xml:83
 msgid ""
-"The list of IP addresses or hostnames of the IPA servers to which SSSD "
-"should connect in the order of preference. For more information on failover "
-"and server redundancy, see the <quote>FAILOVER</quote> section.  This is "
-"optional if autodiscovery is enabled.  For more information on service "
-"discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
+"The comma-separated list of IP addresses or hostnames of the IPA servers to "
+"which SSSD should connect in the order of preference. For more information "
+"on failover and server redundancy, see the <quote>FAILOVER</quote> section.  "
+"This is optional if autodiscovery is enabled.  For more information on "
+"service discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
@@ -4302,48 +4346,50 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:262
 msgid ""
-"Please note that this feature currently only available on a Linux platform."
+"Please note that this feature currently only available on a Linux platform. "
+"Passwords stored in this way are kept in plaintext in the kernel keyring and "
+"are potentially accessible by the root user (with difficulty)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:272
+#: sssd-krb5.5.xml:275
 msgid "krb5_renewable_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:275
+#: sssd-krb5.5.xml:278
 msgid ""
 "Request a renewable ticket with a total lifetime given by an integer "
 "immediately followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:280 sssd-krb5.5.xml:316
+#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
 msgid "<emphasis>s</emphasis> seconds"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
+#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
 msgid "<emphasis>m</emphasis> minutes"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
+#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
 msgid "<emphasis>h</emphasis> hours"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
+#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
 msgid "<emphasis>d</emphasis> days."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
+#: sssd-krb5.5.xml:295 sssd-krb5.5.xml:331
 msgid "If there is no delimiter <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:296
+#: sssd-krb5.5.xml:299
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "renewable lifetime to one and a half hours please use '90m' instead of "
@@ -4351,97 +4397,97 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:302
+#: sssd-krb5.5.xml:305
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:308
+#: sssd-krb5.5.xml:311
 msgid "krb5_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:311
+#: sssd-krb5.5.xml:314
 msgid ""
 "Request ticket with a with a lifetime given by an integer immediately "
 "followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:332
+#: sssd-krb5.5.xml:335
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "lifetime to one and a half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:337
+#: sssd-krb5.5.xml:340
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:344
+#: sssd-krb5.5.xml:347
 msgid "krb5_renew_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:347
+#: sssd-krb5.5.xml:350
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:352
+#: sssd-krb5.5.xml:355
 msgid "If this option is not set or 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:362
+#: sssd-krb5.5.xml:365
 msgid "krb5_use_fast (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:365
+#: sssd-krb5.5.xml:368
 msgid ""
 "Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
 "authentication. The following options are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:370
+#: sssd-krb5.5.xml:373
 msgid ""
 "<emphasis>never</emphasis> use FAST, this is equivalent to not set this "
 "option at all."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:374
+#: sssd-krb5.5.xml:377
 msgid ""
 "<emphasis>try</emphasis> to use FAST, if the server does not support fast "
 "continue without."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:378
+#: sssd-krb5.5.xml:381
 msgid ""
 "<emphasis>demand</emphasis> to use FAST, fail if the server does not require "
 "fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:382
+#: sssd-krb5.5.xml:385
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:385
+#: sssd-krb5.5.xml:388
 msgid "Please note that a keytab is required to use fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:388
+#: sssd-krb5.5.xml:391
 msgid ""
 "Please note also that sssd supports fast only with MIT Kerberos version 1.8 "
 "and above. If sssd used used with an older version using this option is a "
@@ -4459,7 +4505,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:407
+#: sssd-krb5.5.xml:410
 msgid ""
 "The following example assumes that SSSD is correctly configured and FOO is "
 "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
@@ -4468,7 +4514,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-krb5.5.xml:415
+#: sssd-krb5.5.xml:418
 #, no-wrap
 msgid ""
 "    [domain/FOO]\n"
@@ -4478,7 +4524,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:426
+#: sssd-krb5.5.xml:429
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
diff --git a/src/man/po/pl.po b/src/man/po/pl.po
index 5e3a1274..3e85319c 100644
--- a/src/man/po/pl.po
+++ b/src/man/po/pl.po
@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: SSSD\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2011-08-29 10:42-0300\n"
+"POT-Creation-Date: 2011-10-18 13:34-0300\n"
 "PO-Revision-Date: 2011-03-10 00:18+0000\n"
 "Last-Translator: sgallagh <sgallagh@redhat.com>\n"
 "Language-Team: Polish <None>\n"
@@ -54,7 +54,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:41
+#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:44
 #: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21
 #: sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_useradd.8.xml:30
 #: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30
@@ -70,7 +70,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:39 pam_sss.8.xml:48 sssd.8.xml:42 sss_obfuscate.8.xml:58
+#: sss_groupmod.8.xml:39 pam_sss.8.xml:51 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
 msgid "OPTIONS"
@@ -106,10 +106,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1106 sssd-ldap.5.xml:1432
-#: pam_sss.8.xml:128 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
+#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1130 sssd-ldap.5.xml:1432
+#: pam_sss.8.xml:139 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
 #: sssd-ipa.5.xml:248 sssd.8.xml:166 sss_obfuscate.8.xml:103
-#: sss_useradd.8.xml:167 sssd-krb5.5.xml:424 sss_groupadd.8.xml:58
+#: sss_useradd.8.xml:167 sssd-krb5.5.xml:427 sss_groupadd.8.xml:58
 #: sss_userdel.8.xml:93 sss_groupdel.8.xml:46 sss_groupshow.8.xml:58
 #: sss_usermod.8.xml:138
 msgid "SEE ALSO"
@@ -215,7 +215,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:70 sssd.conf.5.xml:952
+#: sssd.conf.5.xml:70 sssd.conf.5.xml:976
 msgid "Section parameters"
 msgstr ""
 
@@ -248,19 +248,19 @@ msgid "Supported services: nss, pam"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:93 sssd.conf.5.xml:234
+#: sssd.conf.5.xml:93 sssd.conf.5.xml:254
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:96 sssd.conf.5.xml:237
+#: sssd.conf.5.xml:96 sssd.conf.5.xml:257
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:101 sssd.conf.5.xml:242
+#: sssd.conf.5.xml:101 sssd.conf.5.xml:262
 msgid "Default: 3"
 msgstr ""
 
@@ -367,6 +367,32 @@ msgid ""
 "unavailable. On these platforms, polling will always be used."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:189
+msgid "krb5_rcache_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:192
+msgid ""
+"Directory on the filesystem where SSSD should store Kerberos replay cache "
+"files."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:196
+msgid ""
+"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
+"SSSD to let libkrb5 decide the appropriate location for the replay cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:202
+msgid ""
+"Default: Distribution-specific and specified at build-time. "
+"(__LIBKRB5_DEFAULTS__ if not configured)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:63
 msgid ""
@@ -379,12 +405,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:195
+#: sssd.conf.5.xml:215
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:197
+#: sssd.conf.5.xml:217
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -393,55 +419,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:204
+#: sssd.conf.5.xml:224
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:206
+#: sssd.conf.5.xml:226
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:210
+#: sssd.conf.5.xml:230
 msgid "debug_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:213
+#: sssd.conf.5.xml:233
 msgid ""
 "Sets the debug level for the service. The value can be in range from 0 (only "
 "critical messages) to 10 (very verbose)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:218 sssd.conf.5.xml:312
+#: sssd.conf.5.xml:238 sssd.conf.5.xml:332
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:223 sssd.8.xml:58
+#: sssd.conf.5.xml:243 sssd.8.xml:58
 msgid "debug_timestamps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:226 sssd.8.xml:61
+#: sssd.conf.5.xml:246 sssd.8.xml:61
 msgid "Add a timestamp to the debug messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:229 sssd.conf.5.xml:353 sssd-ldap.5.xml:1058
+#: sssd.conf.5.xml:249 sssd.conf.5.xml:373 sssd-ldap.5.xml:1058
 #: sssd-ldap.5.xml:1163 sssd-ipa.5.xml:155
 msgid "Default: true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:247
+#: sssd.conf.5.xml:267
 msgid "command (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:250
+#: sssd.conf.5.xml:270
 msgid ""
 "By default, the executable representing this service is called <command>sssd_"
 "${service_name}</command>.  This directive allows to change the executable "
@@ -450,45 +476,45 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:258
+#: sssd.conf.5.xml:278
 msgid "Default: <command>sssd_${service_name}</command>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:266
+#: sssd.conf.5.xml:286
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:268
+#: sssd.conf.5.xml:288
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:273
+#: sssd.conf.5.xml:293
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:276
+#: sssd.conf.5.xml:296
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:280
+#: sssd.conf.5.xml:300
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:285
+#: sssd.conf.5.xml:305
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:288
+#: sssd.conf.5.xml:308
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -496,7 +522,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:294
+#: sssd.conf.5.xml:314
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -506,7 +532,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304
+#: sssd.conf.5.xml:324
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -515,12 +541,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:317
+#: sssd.conf.5.xml:337
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:320
+#: sssd.conf.5.xml:340
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -528,17 +554,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:326 sssd-krb5.5.xml:223
+#: sssd.conf.5.xml:346 sssd-krb5.5.xml:223
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:331
+#: sssd.conf.5.xml:351
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:334
+#: sssd.conf.5.xml:354
 msgid ""
 "Exclude certain users from being fetched from the sss NSS database. This is "
 "particularly useful for system accounts. This option can also be set per-"
@@ -547,78 +573,78 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:341
+#: sssd.conf.5.xml:361
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:346
+#: sssd.conf.5.xml:366
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:369
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:358
+#: sssd.conf.5.xml:378
 msgid "override_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:367 sssd-krb5.5.xml:166
+#: sssd.conf.5.xml:387 sssd-krb5.5.xml:166
 msgid "%u"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:368 sssd-krb5.5.xml:167
+#: sssd.conf.5.xml:388 sssd-krb5.5.xml:167
 msgid "login name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:371 sssd-krb5.5.xml:170
+#: sssd.conf.5.xml:391 sssd-krb5.5.xml:170
 msgid "%U"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:392
 msgid "UID number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:375 sssd-krb5.5.xml:188
+#: sssd.conf.5.xml:395 sssd-krb5.5.xml:188
 msgid "%d"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:376
+#: sssd.conf.5.xml:396
 msgid "domain name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:379
+#: sssd.conf.5.xml:399
 msgid "%f"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:380
+#: sssd.conf.5.xml:400
 msgid "fully qualified user name (user@domain)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:383 sssd-krb5.5.xml:200
+#: sssd.conf.5.xml:403 sssd-krb5.5.xml:200
 msgid "%%"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:384 sssd-krb5.5.xml:201
+#: sssd.conf.5.xml:404 sssd-krb5.5.xml:201
 msgid "a literal '%'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:361
+#: sssd.conf.5.xml:381
 msgid ""
 "Override the user's home directory. You can either provide an absolute value "
 "or a template. In the template, the following sequences are substituted: "
@@ -626,138 +652,138 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:390
+#: sssd.conf.5.xml:410
 msgid "This option can also be set per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:395
+#: sssd.conf.5.xml:415
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:398
+#: sssd.conf.5.xml:418
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:401
+#: sssd.conf.5.xml:421
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:405
+#: sssd.conf.5.xml:425
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:410
+#: sssd.conf.5.xml:430
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:415
+#: sssd.conf.5.xml:435
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:418
+#: sssd.conf.5.xml:438
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:422
+#: sssd.conf.5.xml:442
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:427
+#: sssd.conf.5.xml:447
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:430
+#: sssd.conf.5.xml:450
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:435
+#: sssd.conf.5.xml:455
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:438
+#: sssd.conf.5.xml:458
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:442
+#: sssd.conf.5.xml:462
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:469
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:451
+#: sssd.conf.5.xml:471
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:456
+#: sssd.conf.5.xml:476
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:459
+#: sssd.conf.5.xml:479
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:464 sssd.conf.5.xml:477
+#: sssd.conf.5.xml:484 sssd.conf.5.xml:497
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:490
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:473
+#: sssd.conf.5.xml:493
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:483
+#: sssd.conf.5.xml:503
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:506
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:491
+#: sssd.conf.5.xml:511
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -765,59 +791,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:497 sssd.conf.5.xml:550 sssd.conf.5.xml:882
+#: sssd.conf.5.xml:517 sssd.conf.5.xml:570 sssd.conf.5.xml:906
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:523
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:506
+#: sssd.conf.5.xml:526
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:511
+#: sssd.conf.5.xml:531
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:514
+#: sssd.conf.5.xml:534
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:517
+#: sssd.conf.5.xml:537
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:541
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:524
+#: sssd.conf.5.xml:544
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:528
+#: sssd.conf.5.xml:548
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:533
+#: sssd.conf.5.xml:553
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:536
+#: sssd.conf.5.xml:556
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -825,7 +851,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:542
+#: sssd.conf.5.xml:562
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -834,17 +860,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:556
+#: sssd.conf.5.xml:576
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:559
+#: sssd.conf.5.xml:579
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:562
+#: sssd.conf.5.xml:582
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -852,29 +878,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:588
 msgid "Default: 7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:577
+#: sssd.conf.5.xml:597
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:584
+#: sssd.conf.5.xml:604
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:587
+#: sssd.conf.5.xml:607
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:592
+#: sssd.conf.5.xml:612
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -883,56 +909,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:599
+#: sssd.conf.5.xml:619
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:625
 msgid "timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:608
+#: sssd.conf.5.xml:628
 msgid ""
 "Timeout in seconds between heartbeats for this domain.  This is used to "
 "ensure that the backend process is alive and capable of answering requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:633
 msgid "Default: 10"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:639
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:642
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:626
+#: sssd.conf.5.xml:646
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:629
+#: sssd.conf.5.xml:649
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:632 sssd.conf.5.xml:680 sssd.conf.5.xml:734
+#: sssd.conf.5.xml:652 sssd.conf.5.xml:704 sssd.conf.5.xml:758
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:635
+#: sssd.conf.5.xml:655
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -942,14 +968,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:645
+#: sssd.conf.5.xml:665
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:650
+#: sssd.conf.5.xml:670
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -958,39 +984,44 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:661
+#: sssd.conf.5.xml:681
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:664
+#: sssd.conf.5.xml:684
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:688
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:693
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676
+#: sssd.conf.5.xml:696
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:700
+msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:685
+#: sssd.conf.5.xml:709
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:688
+#: sssd.conf.5.xml:712
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -999,47 +1030,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:695
+#: sssd.conf.5.xml:719
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:725
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:728
 msgid "The Data Provider identity backend to use for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:708
+#: sssd.conf.5.xml:732
 msgid "Supported backends:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:711
+#: sssd.conf.5.xml:735
 msgid "proxy: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:714
+#: sssd.conf.5.xml:738
 msgid "local: SSSD internal local provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:717
+#: sssd.conf.5.xml:741
 msgid "ldap: LDAP provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:747
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:750
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -1048,19 +1079,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:739
+#: sssd.conf.5.xml:763
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:766
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:746
+#: sssd.conf.5.xml:770
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1068,7 +1099,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:777
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1076,30 +1107,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:784
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:787
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:766
+#: sssd.conf.5.xml:790
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:796
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:775
+#: sssd.conf.5.xml:799
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -1107,17 +1138,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:781
+#: sssd.conf.5.xml:805
 msgid "<quote>permit</quote> always allow access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:784
+#: sssd.conf.5.xml:808
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:811
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -1126,24 +1157,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:818
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:823
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:826
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:831
 msgid ""
 "<quote>ipa</quote> to change a password stored in an IPA server.  See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -1151,7 +1182,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:815
+#: sssd.conf.5.xml:839
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -1159,7 +1190,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:823
+#: sssd.conf.5.xml:847
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1167,72 +1198,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:831
+#: sssd.conf.5.xml:855
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:835
+#: sssd.conf.5.xml:859
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838
+#: sssd.conf.5.xml:862
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:845
+#: sssd.conf.5.xml:869
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:848
+#: sssd.conf.5.xml:872
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:876
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:855
+#: sssd.conf.5.xml:879
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:858
+#: sssd.conf.5.xml:882
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:861
+#: sssd.conf.5.xml:885
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:864
+#: sssd.conf.5.xml:888
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:867
+#: sssd.conf.5.xml:891
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:873
+#: sssd.conf.5.xml:897
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:876
+#: sssd.conf.5.xml:900
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -1240,34 +1271,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:912
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:891
+#: sssd.conf.5.xml:915
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:919
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:901
+#: sssd.conf.5.xml:925
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:904
+#: sssd.conf.5.xml:928
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:579
+#: sssd.conf.5.xml:599
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -1275,29 +1306,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:940
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:943
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:922
+#: sssd.conf.5.xml:946
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:954
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:933
+#: sssd.conf.5.xml:957
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -1305,19 +1336,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:912
+#: sssd.conf.5.xml:936
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:945
+#: sssd.conf.5.xml:969
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:971
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -1325,73 +1356,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:954
+#: sssd.conf.5.xml:978
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:981
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:985
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:966
+#: sssd.conf.5.xml:990
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:969
+#: sssd.conf.5.xml:993
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974
+#: sssd.conf.5.xml:998
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1003
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1006
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986 sssd.conf.5.xml:998
+#: sssd.conf.5.xml:1010 sssd.conf.5.xml:1022
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:991
+#: sssd.conf.5.xml:1015
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:994
+#: sssd.conf.5.xml:1018
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1003
+#: sssd.conf.5.xml:1027
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1030
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -1399,17 +1430,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014
+#: sssd.conf.5.xml:1038
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1043
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1022
+#: sssd.conf.5.xml:1046
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -1418,17 +1449,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:1056
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1037
+#: sssd.conf.5.xml:1061
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1040
+#: sssd.conf.5.xml:1064
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -1436,17 +1467,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1047
+#: sssd.conf.5.xml:1071
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1076
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1055
+#: sssd.conf.5.xml:1079
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -1454,18 +1485,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1061
+#: sssd.conf.5.xml:1085
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1071 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
-#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:405
+#: sssd.conf.5.xml:1095 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
+#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:408
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:1077
+#: sssd.conf.5.xml:1101
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -1495,7 +1526,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1073
+#: sssd.conf.5.xml:1097
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -1504,7 +1535,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1108
+#: sssd.conf.5.xml:1132
 msgid ""
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
@@ -1604,10 +1635,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:88
 msgid ""
-"Specifies the list of URIs of the LDAP servers to which SSSD should connect "
-"in the order of preference to change the password of a user. Refer to the "
-"<quote>FAILOVER</quote> section for more information on failover and server "
-"redundancy."
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference to change the password of a user. "
+"Refer to the <quote>FAILOVER</quote> section for more information on "
+"failover and server redundancy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -2087,7 +2118,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:519 sssd-ldap.5.xml:990 sssd-ipa.5.xml:115 sssd.8.xml:64
-#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:266
+#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:269
 msgid "Default: false"
 msgstr ""
 
@@ -2528,7 +2559,7 @@ msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:356
+#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:359
 msgid "Default: not set"
 msgstr ""
 
@@ -2669,12 +2700,13 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:1080 sssd-krb5.5.xml:77
 msgid ""
-"Specifies the list of IP addresses or hostnames of the Kerberos servers to "
-"which SSSD should connect in the order of preference. For more information "
-"on failover and server redundancy, see the <quote>FAILOVER</quote> section. "
-"An optional port number (preceded by a colon) may be appended to the "
-"addresses or hostnames.  If empty, service discovery is enabled - for more "
-"information, refer to the <quote>SERVICE DISCOVERY</quote> section."
+"Specifies the comma-separated list of IP addresses or hostnames of the "
+"Kerberos servers to which SSSD should connect in the order of preference. "
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
+"colon) may be appended to the addresses or hostnames.  If empty, service "
+"discovery is enabled - for more information, refer to the <quote>SERVICE "
+"DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -3059,7 +3091,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ldap.5.xml:1407 sssd-simple.5.xml:134 sssd-ipa.5.xml:238
-#: sssd-krb5.5.xml:414
+#: sssd-krb5.5.xml:417
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -3106,7 +3138,8 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
 #: pam_sss.8.xml:24
 msgid ""
-"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>forward_pass</"
+"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
@@ -3114,7 +3147,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:42
+#: pam_sss.8.xml:45
 msgid ""
 "<command>pam_sss.so</command> is the PAM interface to the System Security "
 "Services daemon (SSSD). Errors and results are logged through <command>syslog"
@@ -3122,24 +3155,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:52
+#: pam_sss.8.xml:55
+msgid "<option>quiet</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:58
+msgid "Suppress log messages for unknown users."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:63
 msgid "<option>forward_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:55
+#: pam_sss.8.xml:66
 msgid ""
 "If <option>forward_pass</option> is set the entered password is put on the "
 "stack for other PAM modules to use."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:62
+#: pam_sss.8.xml:73
 msgid "<option>use_first_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:65
+#: pam_sss.8.xml:76
 msgid ""
 "The argument use_first_pass forces the module to use a previous stacked "
 "modules password and will never prompt the user - if no password is "
@@ -3147,31 +3190,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:73
+#: pam_sss.8.xml:84
 msgid "<option>use_authtok</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:76
+#: pam_sss.8.xml:87
 msgid ""
 "When password changing enforce the module to set the new password to the one "
 "provided by a previously stacked password module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:83
+#: pam_sss.8.xml:94
 msgid "<option>retry=N</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:86
+#: pam_sss.8.xml:97
 msgid ""
 "If specified the user is asked another N times for a password if "
 "authentication fails. Default is 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:88
+#: pam_sss.8.xml:99
 msgid ""
 "Please note that this option might not work as expected if the application "
 "calling PAM handles the user dialog on its own. A typical example is "
@@ -3179,24 +3222,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:99
+#: pam_sss.8.xml:110
 msgid "MODULE TYPES PROVIDED"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:100
+#: pam_sss.8.xml:111
 msgid ""
 "All module types (<option>account</option>, <option>auth</option>, "
 "<option>password</option> and <option>session</option>) are provided."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:106
+#: pam_sss.8.xml:117
 msgid "FILES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:107
+#: pam_sss.8.xml:118
 msgid ""
 "If a password reset by root fails, because the corresponding SSSD provider "
 "does not support password resets, an individual message can be displayed. "
@@ -3204,7 +3247,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:112
+#: pam_sss.8.xml:123
 msgid ""
 "The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
 "filename> where LOC stands for a locale string returned by <citerefentry> "
@@ -3216,7 +3259,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:122
+#: pam_sss.8.xml:133
 msgid ""
 "These files are searched in the directory <filename>/etc/sssd/customize/"
 "DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
@@ -3224,7 +3267,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:130
+#: pam_sss.8.xml:141
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>8</"
 "manvolnum> </citerefentry>"
@@ -3484,11 +3527,11 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ipa.5.xml:83
 msgid ""
-"The list of IP addresses or hostnames of the IPA servers to which SSSD "
-"should connect in the order of preference. For more information on failover "
-"and server redundancy, see the <quote>FAILOVER</quote> section.  This is "
-"optional if autodiscovery is enabled.  For more information on service "
-"discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
+"The comma-separated list of IP addresses or hostnames of the IPA servers to "
+"which SSSD should connect in the order of preference. For more information "
+"on failover and server redundancy, see the <quote>FAILOVER</quote> section.  "
+"This is optional if autodiscovery is enabled.  For more information on "
+"service discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
@@ -4304,48 +4347,50 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:262
 msgid ""
-"Please note that this feature currently only available on a Linux platform."
+"Please note that this feature currently only available on a Linux platform. "
+"Passwords stored in this way are kept in plaintext in the kernel keyring and "
+"are potentially accessible by the root user (with difficulty)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:272
+#: sssd-krb5.5.xml:275
 msgid "krb5_renewable_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:275
+#: sssd-krb5.5.xml:278
 msgid ""
 "Request a renewable ticket with a total lifetime given by an integer "
 "immediately followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:280 sssd-krb5.5.xml:316
+#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
 msgid "<emphasis>s</emphasis> seconds"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
+#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
 msgid "<emphasis>m</emphasis> minutes"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
+#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
 msgid "<emphasis>h</emphasis> hours"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
+#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
 msgid "<emphasis>d</emphasis> days."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
+#: sssd-krb5.5.xml:295 sssd-krb5.5.xml:331
 msgid "If there is no delimiter <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:296
+#: sssd-krb5.5.xml:299
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "renewable lifetime to one and a half hours please use '90m' instead of "
@@ -4353,97 +4398,97 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:302
+#: sssd-krb5.5.xml:305
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:308
+#: sssd-krb5.5.xml:311
 msgid "krb5_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:311
+#: sssd-krb5.5.xml:314
 msgid ""
 "Request ticket with a with a lifetime given by an integer immediately "
 "followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:332
+#: sssd-krb5.5.xml:335
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "lifetime to one and a half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:337
+#: sssd-krb5.5.xml:340
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:344
+#: sssd-krb5.5.xml:347
 msgid "krb5_renew_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:347
+#: sssd-krb5.5.xml:350
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:352
+#: sssd-krb5.5.xml:355
 msgid "If this option is not set or 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:362
+#: sssd-krb5.5.xml:365
 msgid "krb5_use_fast (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:365
+#: sssd-krb5.5.xml:368
 msgid ""
 "Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
 "authentication. The following options are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:370
+#: sssd-krb5.5.xml:373
 msgid ""
 "<emphasis>never</emphasis> use FAST, this is equivalent to not set this "
 "option at all."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:374
+#: sssd-krb5.5.xml:377
 msgid ""
 "<emphasis>try</emphasis> to use FAST, if the server does not support fast "
 "continue without."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:378
+#: sssd-krb5.5.xml:381
 msgid ""
 "<emphasis>demand</emphasis> to use FAST, fail if the server does not require "
 "fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:382
+#: sssd-krb5.5.xml:385
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:385
+#: sssd-krb5.5.xml:388
 msgid "Please note that a keytab is required to use fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:388
+#: sssd-krb5.5.xml:391
 msgid ""
 "Please note also that sssd supports fast only with MIT Kerberos version 1.8 "
 "and above. If sssd used used with an older version using this option is a "
@@ -4461,7 +4506,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:407
+#: sssd-krb5.5.xml:410
 msgid ""
 "The following example assumes that SSSD is correctly configured and FOO is "
 "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
@@ -4470,7 +4515,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-krb5.5.xml:415
+#: sssd-krb5.5.xml:418
 #, no-wrap
 msgid ""
 "    [domain/FOO]\n"
@@ -4480,7 +4525,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:426
+#: sssd-krb5.5.xml:429
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
diff --git a/src/man/po/po4a.cfg b/src/man/po/po4a.cfg
index 39644f2b..66623c3e 100644
--- a/src/man/po/po4a.cfg
+++ b/src/man/po/po4a.cfg
@@ -1,4 +1,4 @@
-[po4a_langs] ar as bal bn_IN ca cs_CZ cs da de_CH de el en_GB es fa_IR fa fi fr gu he hi hu id is it ja_JP ja kn ko lt_LT mai ml mr nb nds nl nn or pa pl pt_BR pt ro ru sk sl sv ta_IN ta te tr uk ur vi_VN zh_CN zh_HK zh_TW
+[po4a_langs] ar as bal bn_IN bn ca cs_CZ cs da de_CH de el en_GB es et fa_IR fa fi fr gu he hi hu id is it ja_JP ja kn ko lt_LT lt mai ml mr nb nds nl nn or pa pl pt_BR pt ro ru sk sl sq sr sv ta_IN ta te tr uk ur vi vi_VN zh_CN zh_HK zh_TW
 [po4a_paths] po/sssd-docs.pot $lang:po/$lang.po
 [type:docbook] sss_groupmod.8.xml $lang:$(builddir)/$lang/sss_groupmod.8.xml
 [type:docbook] sssd.conf.5.xml $lang:$(builddir)/$lang/sssd.conf.5.xml
diff --git a/src/man/po/pt.po b/src/man/po/pt.po
index b517ae5a..75f4137e 100644
--- a/src/man/po/pt.po
+++ b/src/man/po/pt.po
@@ -6,7 +6,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: SSSD\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2011-08-29 10:42-0300\n"
+"POT-Creation-Date: 2011-10-18 13:34-0300\n"
 "PO-Revision-Date: 2011-08-05 11:38+0000\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Portuguese <trans-pt@lists.fedoraproject.org>\n"
@@ -52,7 +52,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:41
+#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:44
 #: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21
 #: sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_useradd.8.xml:30
 #: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30
@@ -68,7 +68,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:39 pam_sss.8.xml:48 sssd.8.xml:42 sss_obfuscate.8.xml:58
+#: sss_groupmod.8.xml:39 pam_sss.8.xml:51 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
 msgid "OPTIONS"
@@ -104,10 +104,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1106 sssd-ldap.5.xml:1432
-#: pam_sss.8.xml:128 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
+#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1130 sssd-ldap.5.xml:1432
+#: pam_sss.8.xml:139 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
 #: sssd-ipa.5.xml:248 sssd.8.xml:166 sss_obfuscate.8.xml:103
-#: sss_useradd.8.xml:167 sssd-krb5.5.xml:424 sss_groupadd.8.xml:58
+#: sss_useradd.8.xml:167 sssd-krb5.5.xml:427 sss_groupadd.8.xml:58
 #: sss_userdel.8.xml:93 sss_groupdel.8.xml:46 sss_groupshow.8.xml:58
 #: sss_usermod.8.xml:138
 msgid "SEE ALSO"
@@ -213,7 +213,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:70 sssd.conf.5.xml:952
+#: sssd.conf.5.xml:70 sssd.conf.5.xml:976
 msgid "Section parameters"
 msgstr ""
 
@@ -246,19 +246,19 @@ msgid "Supported services: nss, pam"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:93 sssd.conf.5.xml:234
+#: sssd.conf.5.xml:93 sssd.conf.5.xml:254
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:96 sssd.conf.5.xml:237
+#: sssd.conf.5.xml:96 sssd.conf.5.xml:257
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:101 sssd.conf.5.xml:242
+#: sssd.conf.5.xml:101 sssd.conf.5.xml:262
 msgid "Default: 3"
 msgstr ""
 
@@ -365,6 +365,32 @@ msgid ""
 "unavailable. On these platforms, polling will always be used."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:189
+msgid "krb5_rcache_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:192
+msgid ""
+"Directory on the filesystem where SSSD should store Kerberos replay cache "
+"files."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:196
+msgid ""
+"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
+"SSSD to let libkrb5 decide the appropriate location for the replay cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:202
+msgid ""
+"Default: Distribution-specific and specified at build-time. "
+"(__LIBKRB5_DEFAULTS__ if not configured)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:63
 msgid ""
@@ -377,12 +403,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:195
+#: sssd.conf.5.xml:215
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:197
+#: sssd.conf.5.xml:217
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -391,55 +417,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:204
+#: sssd.conf.5.xml:224
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:206
+#: sssd.conf.5.xml:226
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:210
+#: sssd.conf.5.xml:230
 msgid "debug_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:213
+#: sssd.conf.5.xml:233
 msgid ""
 "Sets the debug level for the service. The value can be in range from 0 (only "
 "critical messages) to 10 (very verbose)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:218 sssd.conf.5.xml:312
+#: sssd.conf.5.xml:238 sssd.conf.5.xml:332
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:223 sssd.8.xml:58
+#: sssd.conf.5.xml:243 sssd.8.xml:58
 msgid "debug_timestamps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:226 sssd.8.xml:61
+#: sssd.conf.5.xml:246 sssd.8.xml:61
 msgid "Add a timestamp to the debug messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:229 sssd.conf.5.xml:353 sssd-ldap.5.xml:1058
+#: sssd.conf.5.xml:249 sssd.conf.5.xml:373 sssd-ldap.5.xml:1058
 #: sssd-ldap.5.xml:1163 sssd-ipa.5.xml:155
 msgid "Default: true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:247
+#: sssd.conf.5.xml:267
 msgid "command (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:250
+#: sssd.conf.5.xml:270
 msgid ""
 "By default, the executable representing this service is called <command>sssd_"
 "${service_name}</command>.  This directive allows to change the executable "
@@ -448,45 +474,45 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:258
+#: sssd.conf.5.xml:278
 msgid "Default: <command>sssd_${service_name}</command>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:266
+#: sssd.conf.5.xml:286
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:268
+#: sssd.conf.5.xml:288
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:273
+#: sssd.conf.5.xml:293
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:276
+#: sssd.conf.5.xml:296
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:280
+#: sssd.conf.5.xml:300
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:285
+#: sssd.conf.5.xml:305
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:288
+#: sssd.conf.5.xml:308
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -494,7 +520,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:294
+#: sssd.conf.5.xml:314
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -504,7 +530,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304
+#: sssd.conf.5.xml:324
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -513,12 +539,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:317
+#: sssd.conf.5.xml:337
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:320
+#: sssd.conf.5.xml:340
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -526,17 +552,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:326 sssd-krb5.5.xml:223
+#: sssd.conf.5.xml:346 sssd-krb5.5.xml:223
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:331
+#: sssd.conf.5.xml:351
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:334
+#: sssd.conf.5.xml:354
 msgid ""
 "Exclude certain users from being fetched from the sss NSS database. This is "
 "particularly useful for system accounts. This option can also be set per-"
@@ -545,78 +571,78 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:341
+#: sssd.conf.5.xml:361
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:346
+#: sssd.conf.5.xml:366
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:369
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:358
+#: sssd.conf.5.xml:378
 msgid "override_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:367 sssd-krb5.5.xml:166
+#: sssd.conf.5.xml:387 sssd-krb5.5.xml:166
 msgid "%u"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:368 sssd-krb5.5.xml:167
+#: sssd.conf.5.xml:388 sssd-krb5.5.xml:167
 msgid "login name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:371 sssd-krb5.5.xml:170
+#: sssd.conf.5.xml:391 sssd-krb5.5.xml:170
 msgid "%U"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:392
 msgid "UID number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:375 sssd-krb5.5.xml:188
+#: sssd.conf.5.xml:395 sssd-krb5.5.xml:188
 msgid "%d"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:376
+#: sssd.conf.5.xml:396
 msgid "domain name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:379
+#: sssd.conf.5.xml:399
 msgid "%f"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:380
+#: sssd.conf.5.xml:400
 msgid "fully qualified user name (user@domain)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:383 sssd-krb5.5.xml:200
+#: sssd.conf.5.xml:403 sssd-krb5.5.xml:200
 msgid "%%"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:384 sssd-krb5.5.xml:201
+#: sssd.conf.5.xml:404 sssd-krb5.5.xml:201
 msgid "a literal '%'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:361
+#: sssd.conf.5.xml:381
 msgid ""
 "Override the user's home directory. You can either provide an absolute value "
 "or a template. In the template, the following sequences are substituted: "
@@ -624,138 +650,138 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:390
+#: sssd.conf.5.xml:410
 msgid "This option can also be set per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:395
+#: sssd.conf.5.xml:415
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:398
+#: sssd.conf.5.xml:418
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:401
+#: sssd.conf.5.xml:421
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:405
+#: sssd.conf.5.xml:425
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:410
+#: sssd.conf.5.xml:430
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:415
+#: sssd.conf.5.xml:435
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:418
+#: sssd.conf.5.xml:438
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:422
+#: sssd.conf.5.xml:442
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:427
+#: sssd.conf.5.xml:447
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:430
+#: sssd.conf.5.xml:450
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:435
+#: sssd.conf.5.xml:455
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:438
+#: sssd.conf.5.xml:458
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:442
+#: sssd.conf.5.xml:462
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:469
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:451
+#: sssd.conf.5.xml:471
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:456
+#: sssd.conf.5.xml:476
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:459
+#: sssd.conf.5.xml:479
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:464 sssd.conf.5.xml:477
+#: sssd.conf.5.xml:484 sssd.conf.5.xml:497
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:490
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:473
+#: sssd.conf.5.xml:493
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:483
+#: sssd.conf.5.xml:503
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:506
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:491
+#: sssd.conf.5.xml:511
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -763,59 +789,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:497 sssd.conf.5.xml:550 sssd.conf.5.xml:882
+#: sssd.conf.5.xml:517 sssd.conf.5.xml:570 sssd.conf.5.xml:906
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:523
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:506
+#: sssd.conf.5.xml:526
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:511
+#: sssd.conf.5.xml:531
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:514
+#: sssd.conf.5.xml:534
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:517
+#: sssd.conf.5.xml:537
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:541
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:524
+#: sssd.conf.5.xml:544
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:528
+#: sssd.conf.5.xml:548
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:533
+#: sssd.conf.5.xml:553
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:536
+#: sssd.conf.5.xml:556
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -823,7 +849,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:542
+#: sssd.conf.5.xml:562
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -832,17 +858,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:556
+#: sssd.conf.5.xml:576
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:559
+#: sssd.conf.5.xml:579
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:562
+#: sssd.conf.5.xml:582
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -850,29 +876,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:588
 msgid "Default: 7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:577
+#: sssd.conf.5.xml:597
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:584
+#: sssd.conf.5.xml:604
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:587
+#: sssd.conf.5.xml:607
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:592
+#: sssd.conf.5.xml:612
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -881,56 +907,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:599
+#: sssd.conf.5.xml:619
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:625
 msgid "timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:608
+#: sssd.conf.5.xml:628
 msgid ""
 "Timeout in seconds between heartbeats for this domain.  This is used to "
 "ensure that the backend process is alive and capable of answering requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:633
 msgid "Default: 10"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:639
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:642
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:626
+#: sssd.conf.5.xml:646
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:629
+#: sssd.conf.5.xml:649
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:632 sssd.conf.5.xml:680 sssd.conf.5.xml:734
+#: sssd.conf.5.xml:652 sssd.conf.5.xml:704 sssd.conf.5.xml:758
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:635
+#: sssd.conf.5.xml:655
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -940,14 +966,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:645
+#: sssd.conf.5.xml:665
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:650
+#: sssd.conf.5.xml:670
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -956,39 +982,44 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:661
+#: sssd.conf.5.xml:681
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:664
+#: sssd.conf.5.xml:684
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:688
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:693
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676
+#: sssd.conf.5.xml:696
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:700
+msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:685
+#: sssd.conf.5.xml:709
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:688
+#: sssd.conf.5.xml:712
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -997,47 +1028,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:695
+#: sssd.conf.5.xml:719
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:725
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:728
 msgid "The Data Provider identity backend to use for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:708
+#: sssd.conf.5.xml:732
 msgid "Supported backends:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:711
+#: sssd.conf.5.xml:735
 msgid "proxy: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:714
+#: sssd.conf.5.xml:738
 msgid "local: SSSD internal local provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:717
+#: sssd.conf.5.xml:741
 msgid "ldap: LDAP provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:747
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:750
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -1046,19 +1077,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:739
+#: sssd.conf.5.xml:763
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:766
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:746
+#: sssd.conf.5.xml:770
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1066,7 +1097,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:777
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1074,30 +1105,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:784
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:787
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:766
+#: sssd.conf.5.xml:790
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:796
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:775
+#: sssd.conf.5.xml:799
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -1105,17 +1136,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:781
+#: sssd.conf.5.xml:805
 msgid "<quote>permit</quote> always allow access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:784
+#: sssd.conf.5.xml:808
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:811
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -1124,24 +1155,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:818
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:823
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:826
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:831
 msgid ""
 "<quote>ipa</quote> to change a password stored in an IPA server.  See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -1149,7 +1180,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:815
+#: sssd.conf.5.xml:839
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -1157,7 +1188,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:823
+#: sssd.conf.5.xml:847
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1165,72 +1196,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:831
+#: sssd.conf.5.xml:855
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:835
+#: sssd.conf.5.xml:859
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838
+#: sssd.conf.5.xml:862
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:845
+#: sssd.conf.5.xml:869
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:848
+#: sssd.conf.5.xml:872
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:876
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:855
+#: sssd.conf.5.xml:879
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:858
+#: sssd.conf.5.xml:882
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:861
+#: sssd.conf.5.xml:885
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:864
+#: sssd.conf.5.xml:888
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:867
+#: sssd.conf.5.xml:891
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:873
+#: sssd.conf.5.xml:897
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:876
+#: sssd.conf.5.xml:900
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -1238,34 +1269,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:912
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:891
+#: sssd.conf.5.xml:915
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:919
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:901
+#: sssd.conf.5.xml:925
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:904
+#: sssd.conf.5.xml:928
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:579
+#: sssd.conf.5.xml:599
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -1273,29 +1304,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:940
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:943
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:922
+#: sssd.conf.5.xml:946
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:954
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:933
+#: sssd.conf.5.xml:957
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -1303,19 +1334,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:912
+#: sssd.conf.5.xml:936
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:945
+#: sssd.conf.5.xml:969
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:971
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -1323,73 +1354,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:954
+#: sssd.conf.5.xml:978
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:981
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:985
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:966
+#: sssd.conf.5.xml:990
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:969
+#: sssd.conf.5.xml:993
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974
+#: sssd.conf.5.xml:998
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1003
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1006
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986 sssd.conf.5.xml:998
+#: sssd.conf.5.xml:1010 sssd.conf.5.xml:1022
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:991
+#: sssd.conf.5.xml:1015
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:994
+#: sssd.conf.5.xml:1018
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1003
+#: sssd.conf.5.xml:1027
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1030
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -1397,17 +1428,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014
+#: sssd.conf.5.xml:1038
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1043
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1022
+#: sssd.conf.5.xml:1046
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -1416,17 +1447,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:1056
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1037
+#: sssd.conf.5.xml:1061
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1040
+#: sssd.conf.5.xml:1064
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -1434,17 +1465,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1047
+#: sssd.conf.5.xml:1071
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1076
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1055
+#: sssd.conf.5.xml:1079
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -1452,18 +1483,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1061
+#: sssd.conf.5.xml:1085
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1071 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
-#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:405
+#: sssd.conf.5.xml:1095 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
+#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:408
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:1077
+#: sssd.conf.5.xml:1101
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -1493,7 +1524,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1073
+#: sssd.conf.5.xml:1097
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -1502,7 +1533,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1108
+#: sssd.conf.5.xml:1132
 msgid ""
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
@@ -1602,10 +1633,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:88
 msgid ""
-"Specifies the list of URIs of the LDAP servers to which SSSD should connect "
-"in the order of preference to change the password of a user. Refer to the "
-"<quote>FAILOVER</quote> section for more information on failover and server "
-"redundancy."
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference to change the password of a user. "
+"Refer to the <quote>FAILOVER</quote> section for more information on "
+"failover and server redundancy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -2085,7 +2116,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:519 sssd-ldap.5.xml:990 sssd-ipa.5.xml:115 sssd.8.xml:64
-#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:266
+#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:269
 msgid "Default: false"
 msgstr ""
 
@@ -2526,7 +2557,7 @@ msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:356
+#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:359
 msgid "Default: not set"
 msgstr ""
 
@@ -2667,12 +2698,13 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:1080 sssd-krb5.5.xml:77
 msgid ""
-"Specifies the list of IP addresses or hostnames of the Kerberos servers to "
-"which SSSD should connect in the order of preference. For more information "
-"on failover and server redundancy, see the <quote>FAILOVER</quote> section. "
-"An optional port number (preceded by a colon) may be appended to the "
-"addresses or hostnames.  If empty, service discovery is enabled - for more "
-"information, refer to the <quote>SERVICE DISCOVERY</quote> section."
+"Specifies the comma-separated list of IP addresses or hostnames of the "
+"Kerberos servers to which SSSD should connect in the order of preference. "
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
+"colon) may be appended to the addresses or hostnames.  If empty, service "
+"discovery is enabled - for more information, refer to the <quote>SERVICE "
+"DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -3057,7 +3089,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ldap.5.xml:1407 sssd-simple.5.xml:134 sssd-ipa.5.xml:238
-#: sssd-krb5.5.xml:414
+#: sssd-krb5.5.xml:417
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -3104,7 +3136,8 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
 #: pam_sss.8.xml:24
 msgid ""
-"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>forward_pass</"
+"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
@@ -3112,7 +3145,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:42
+#: pam_sss.8.xml:45
 msgid ""
 "<command>pam_sss.so</command> is the PAM interface to the System Security "
 "Services daemon (SSSD). Errors and results are logged through <command>syslog"
@@ -3120,24 +3153,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:52
+#: pam_sss.8.xml:55
+msgid "<option>quiet</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:58
+msgid "Suppress log messages for unknown users."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:63
 msgid "<option>forward_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:55
+#: pam_sss.8.xml:66
 msgid ""
 "If <option>forward_pass</option> is set the entered password is put on the "
 "stack for other PAM modules to use."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:62
+#: pam_sss.8.xml:73
 msgid "<option>use_first_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:65
+#: pam_sss.8.xml:76
 msgid ""
 "The argument use_first_pass forces the module to use a previous stacked "
 "modules password and will never prompt the user - if no password is "
@@ -3145,31 +3188,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:73
+#: pam_sss.8.xml:84
 msgid "<option>use_authtok</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:76
+#: pam_sss.8.xml:87
 msgid ""
 "When password changing enforce the module to set the new password to the one "
 "provided by a previously stacked password module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:83
+#: pam_sss.8.xml:94
 msgid "<option>retry=N</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:86
+#: pam_sss.8.xml:97
 msgid ""
 "If specified the user is asked another N times for a password if "
 "authentication fails. Default is 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:88
+#: pam_sss.8.xml:99
 msgid ""
 "Please note that this option might not work as expected if the application "
 "calling PAM handles the user dialog on its own. A typical example is "
@@ -3177,24 +3220,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:99
+#: pam_sss.8.xml:110
 msgid "MODULE TYPES PROVIDED"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:100
+#: pam_sss.8.xml:111
 msgid ""
 "All module types (<option>account</option>, <option>auth</option>, "
 "<option>password</option> and <option>session</option>) are provided."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:106
+#: pam_sss.8.xml:117
 msgid "FILES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:107
+#: pam_sss.8.xml:118
 msgid ""
 "If a password reset by root fails, because the corresponding SSSD provider "
 "does not support password resets, an individual message can be displayed. "
@@ -3202,7 +3245,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:112
+#: pam_sss.8.xml:123
 msgid ""
 "The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
 "filename> where LOC stands for a locale string returned by <citerefentry> "
@@ -3214,7 +3257,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:122
+#: pam_sss.8.xml:133
 msgid ""
 "These files are searched in the directory <filename>/etc/sssd/customize/"
 "DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
@@ -3222,7 +3265,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:130
+#: pam_sss.8.xml:141
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>8</"
 "manvolnum> </citerefentry>"
@@ -3482,11 +3525,11 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ipa.5.xml:83
 msgid ""
-"The list of IP addresses or hostnames of the IPA servers to which SSSD "
-"should connect in the order of preference. For more information on failover "
-"and server redundancy, see the <quote>FAILOVER</quote> section.  This is "
-"optional if autodiscovery is enabled.  For more information on service "
-"discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
+"The comma-separated list of IP addresses or hostnames of the IPA servers to "
+"which SSSD should connect in the order of preference. For more information "
+"on failover and server redundancy, see the <quote>FAILOVER</quote> section.  "
+"This is optional if autodiscovery is enabled.  For more information on "
+"service discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
@@ -4302,48 +4345,50 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:262
 msgid ""
-"Please note that this feature currently only available on a Linux platform."
+"Please note that this feature currently only available on a Linux platform. "
+"Passwords stored in this way are kept in plaintext in the kernel keyring and "
+"are potentially accessible by the root user (with difficulty)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:272
+#: sssd-krb5.5.xml:275
 msgid "krb5_renewable_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:275
+#: sssd-krb5.5.xml:278
 msgid ""
 "Request a renewable ticket with a total lifetime given by an integer "
 "immediately followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:280 sssd-krb5.5.xml:316
+#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
 msgid "<emphasis>s</emphasis> seconds"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
+#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
 msgid "<emphasis>m</emphasis> minutes"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
+#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
 msgid "<emphasis>h</emphasis> hours"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
+#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
 msgid "<emphasis>d</emphasis> days."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
+#: sssd-krb5.5.xml:295 sssd-krb5.5.xml:331
 msgid "If there is no delimiter <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:296
+#: sssd-krb5.5.xml:299
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "renewable lifetime to one and a half hours please use '90m' instead of "
@@ -4351,97 +4396,97 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:302
+#: sssd-krb5.5.xml:305
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:308
+#: sssd-krb5.5.xml:311
 msgid "krb5_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:311
+#: sssd-krb5.5.xml:314
 msgid ""
 "Request ticket with a with a lifetime given by an integer immediately "
 "followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:332
+#: sssd-krb5.5.xml:335
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "lifetime to one and a half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:337
+#: sssd-krb5.5.xml:340
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:344
+#: sssd-krb5.5.xml:347
 msgid "krb5_renew_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:347
+#: sssd-krb5.5.xml:350
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:352
+#: sssd-krb5.5.xml:355
 msgid "If this option is not set or 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:362
+#: sssd-krb5.5.xml:365
 msgid "krb5_use_fast (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:365
+#: sssd-krb5.5.xml:368
 msgid ""
 "Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
 "authentication. The following options are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:370
+#: sssd-krb5.5.xml:373
 msgid ""
 "<emphasis>never</emphasis> use FAST, this is equivalent to not set this "
 "option at all."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:374
+#: sssd-krb5.5.xml:377
 msgid ""
 "<emphasis>try</emphasis> to use FAST, if the server does not support fast "
 "continue without."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:378
+#: sssd-krb5.5.xml:381
 msgid ""
 "<emphasis>demand</emphasis> to use FAST, fail if the server does not require "
 "fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:382
+#: sssd-krb5.5.xml:385
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:385
+#: sssd-krb5.5.xml:388
 msgid "Please note that a keytab is required to use fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:388
+#: sssd-krb5.5.xml:391
 msgid ""
 "Please note also that sssd supports fast only with MIT Kerberos version 1.8 "
 "and above. If sssd used used with an older version using this option is a "
@@ -4459,7 +4504,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:407
+#: sssd-krb5.5.xml:410
 msgid ""
 "The following example assumes that SSSD is correctly configured and FOO is "
 "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
@@ -4468,7 +4513,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-krb5.5.xml:415
+#: sssd-krb5.5.xml:418
 #, no-wrap
 msgid ""
 "    [domain/FOO]\n"
@@ -4478,7 +4523,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:426
+#: sssd-krb5.5.xml:429
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
diff --git a/src/man/po/pt_BR.po b/src/man/po/pt_BR.po
index b711344a..39784f81 100644
--- a/src/man/po/pt_BR.po
+++ b/src/man/po/pt_BR.po
@@ -6,7 +6,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: SSSD\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2011-08-29 10:42-0300\n"
+"POT-Creation-Date: 2011-10-18 13:34-0300\n"
 "PO-Revision-Date: 2011-08-05 11:39+0000\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Portuguese (Brazilian) <trans-pt_br@lists.fedoraproject.org>\n"
@@ -52,7 +52,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:41
+#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:44
 #: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21
 #: sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_useradd.8.xml:30
 #: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30
@@ -68,7 +68,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:39 pam_sss.8.xml:48 sssd.8.xml:42 sss_obfuscate.8.xml:58
+#: sss_groupmod.8.xml:39 pam_sss.8.xml:51 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
 msgid "OPTIONS"
@@ -104,10 +104,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1106 sssd-ldap.5.xml:1432
-#: pam_sss.8.xml:128 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
+#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1130 sssd-ldap.5.xml:1432
+#: pam_sss.8.xml:139 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
 #: sssd-ipa.5.xml:248 sssd.8.xml:166 sss_obfuscate.8.xml:103
-#: sss_useradd.8.xml:167 sssd-krb5.5.xml:424 sss_groupadd.8.xml:58
+#: sss_useradd.8.xml:167 sssd-krb5.5.xml:427 sss_groupadd.8.xml:58
 #: sss_userdel.8.xml:93 sss_groupdel.8.xml:46 sss_groupshow.8.xml:58
 #: sss_usermod.8.xml:138
 msgid "SEE ALSO"
@@ -213,7 +213,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:70 sssd.conf.5.xml:952
+#: sssd.conf.5.xml:70 sssd.conf.5.xml:976
 msgid "Section parameters"
 msgstr ""
 
@@ -246,19 +246,19 @@ msgid "Supported services: nss, pam"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:93 sssd.conf.5.xml:234
+#: sssd.conf.5.xml:93 sssd.conf.5.xml:254
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:96 sssd.conf.5.xml:237
+#: sssd.conf.5.xml:96 sssd.conf.5.xml:257
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:101 sssd.conf.5.xml:242
+#: sssd.conf.5.xml:101 sssd.conf.5.xml:262
 msgid "Default: 3"
 msgstr ""
 
@@ -365,6 +365,32 @@ msgid ""
 "unavailable. On these platforms, polling will always be used."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:189
+msgid "krb5_rcache_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:192
+msgid ""
+"Directory on the filesystem where SSSD should store Kerberos replay cache "
+"files."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:196
+msgid ""
+"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
+"SSSD to let libkrb5 decide the appropriate location for the replay cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:202
+msgid ""
+"Default: Distribution-specific and specified at build-time. "
+"(__LIBKRB5_DEFAULTS__ if not configured)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:63
 msgid ""
@@ -377,12 +403,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:195
+#: sssd.conf.5.xml:215
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:197
+#: sssd.conf.5.xml:217
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -391,55 +417,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:204
+#: sssd.conf.5.xml:224
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:206
+#: sssd.conf.5.xml:226
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:210
+#: sssd.conf.5.xml:230
 msgid "debug_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:213
+#: sssd.conf.5.xml:233
 msgid ""
 "Sets the debug level for the service. The value can be in range from 0 (only "
 "critical messages) to 10 (very verbose)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:218 sssd.conf.5.xml:312
+#: sssd.conf.5.xml:238 sssd.conf.5.xml:332
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:223 sssd.8.xml:58
+#: sssd.conf.5.xml:243 sssd.8.xml:58
 msgid "debug_timestamps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:226 sssd.8.xml:61
+#: sssd.conf.5.xml:246 sssd.8.xml:61
 msgid "Add a timestamp to the debug messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:229 sssd.conf.5.xml:353 sssd-ldap.5.xml:1058
+#: sssd.conf.5.xml:249 sssd.conf.5.xml:373 sssd-ldap.5.xml:1058
 #: sssd-ldap.5.xml:1163 sssd-ipa.5.xml:155
 msgid "Default: true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:247
+#: sssd.conf.5.xml:267
 msgid "command (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:250
+#: sssd.conf.5.xml:270
 msgid ""
 "By default, the executable representing this service is called <command>sssd_"
 "${service_name}</command>.  This directive allows to change the executable "
@@ -448,45 +474,45 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:258
+#: sssd.conf.5.xml:278
 msgid "Default: <command>sssd_${service_name}</command>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:266
+#: sssd.conf.5.xml:286
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:268
+#: sssd.conf.5.xml:288
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:273
+#: sssd.conf.5.xml:293
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:276
+#: sssd.conf.5.xml:296
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:280
+#: sssd.conf.5.xml:300
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:285
+#: sssd.conf.5.xml:305
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:288
+#: sssd.conf.5.xml:308
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -494,7 +520,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:294
+#: sssd.conf.5.xml:314
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -504,7 +530,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304
+#: sssd.conf.5.xml:324
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -513,12 +539,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:317
+#: sssd.conf.5.xml:337
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:320
+#: sssd.conf.5.xml:340
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -526,17 +552,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:326 sssd-krb5.5.xml:223
+#: sssd.conf.5.xml:346 sssd-krb5.5.xml:223
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:331
+#: sssd.conf.5.xml:351
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:334
+#: sssd.conf.5.xml:354
 msgid ""
 "Exclude certain users from being fetched from the sss NSS database. This is "
 "particularly useful for system accounts. This option can also be set per-"
@@ -545,78 +571,78 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:341
+#: sssd.conf.5.xml:361
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:346
+#: sssd.conf.5.xml:366
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:369
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:358
+#: sssd.conf.5.xml:378
 msgid "override_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:367 sssd-krb5.5.xml:166
+#: sssd.conf.5.xml:387 sssd-krb5.5.xml:166
 msgid "%u"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:368 sssd-krb5.5.xml:167
+#: sssd.conf.5.xml:388 sssd-krb5.5.xml:167
 msgid "login name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:371 sssd-krb5.5.xml:170
+#: sssd.conf.5.xml:391 sssd-krb5.5.xml:170
 msgid "%U"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:392
 msgid "UID number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:375 sssd-krb5.5.xml:188
+#: sssd.conf.5.xml:395 sssd-krb5.5.xml:188
 msgid "%d"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:376
+#: sssd.conf.5.xml:396
 msgid "domain name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:379
+#: sssd.conf.5.xml:399
 msgid "%f"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:380
+#: sssd.conf.5.xml:400
 msgid "fully qualified user name (user@domain)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:383 sssd-krb5.5.xml:200
+#: sssd.conf.5.xml:403 sssd-krb5.5.xml:200
 msgid "%%"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:384 sssd-krb5.5.xml:201
+#: sssd.conf.5.xml:404 sssd-krb5.5.xml:201
 msgid "a literal '%'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:361
+#: sssd.conf.5.xml:381
 msgid ""
 "Override the user's home directory. You can either provide an absolute value "
 "or a template. In the template, the following sequences are substituted: "
@@ -624,138 +650,138 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:390
+#: sssd.conf.5.xml:410
 msgid "This option can also be set per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:395
+#: sssd.conf.5.xml:415
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:398
+#: sssd.conf.5.xml:418
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:401
+#: sssd.conf.5.xml:421
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:405
+#: sssd.conf.5.xml:425
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:410
+#: sssd.conf.5.xml:430
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:415
+#: sssd.conf.5.xml:435
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:418
+#: sssd.conf.5.xml:438
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:422
+#: sssd.conf.5.xml:442
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:427
+#: sssd.conf.5.xml:447
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:430
+#: sssd.conf.5.xml:450
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:435
+#: sssd.conf.5.xml:455
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:438
+#: sssd.conf.5.xml:458
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:442
+#: sssd.conf.5.xml:462
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:469
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:451
+#: sssd.conf.5.xml:471
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:456
+#: sssd.conf.5.xml:476
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:459
+#: sssd.conf.5.xml:479
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:464 sssd.conf.5.xml:477
+#: sssd.conf.5.xml:484 sssd.conf.5.xml:497
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:490
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:473
+#: sssd.conf.5.xml:493
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:483
+#: sssd.conf.5.xml:503
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:506
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:491
+#: sssd.conf.5.xml:511
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -763,59 +789,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:497 sssd.conf.5.xml:550 sssd.conf.5.xml:882
+#: sssd.conf.5.xml:517 sssd.conf.5.xml:570 sssd.conf.5.xml:906
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:523
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:506
+#: sssd.conf.5.xml:526
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:511
+#: sssd.conf.5.xml:531
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:514
+#: sssd.conf.5.xml:534
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:517
+#: sssd.conf.5.xml:537
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:541
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:524
+#: sssd.conf.5.xml:544
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:528
+#: sssd.conf.5.xml:548
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:533
+#: sssd.conf.5.xml:553
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:536
+#: sssd.conf.5.xml:556
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -823,7 +849,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:542
+#: sssd.conf.5.xml:562
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -832,17 +858,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:556
+#: sssd.conf.5.xml:576
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:559
+#: sssd.conf.5.xml:579
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:562
+#: sssd.conf.5.xml:582
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -850,29 +876,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:588
 msgid "Default: 7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:577
+#: sssd.conf.5.xml:597
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:584
+#: sssd.conf.5.xml:604
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:587
+#: sssd.conf.5.xml:607
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:592
+#: sssd.conf.5.xml:612
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -881,56 +907,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:599
+#: sssd.conf.5.xml:619
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:625
 msgid "timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:608
+#: sssd.conf.5.xml:628
 msgid ""
 "Timeout in seconds between heartbeats for this domain.  This is used to "
 "ensure that the backend process is alive and capable of answering requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:633
 msgid "Default: 10"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:639
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:642
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:626
+#: sssd.conf.5.xml:646
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:629
+#: sssd.conf.5.xml:649
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:632 sssd.conf.5.xml:680 sssd.conf.5.xml:734
+#: sssd.conf.5.xml:652 sssd.conf.5.xml:704 sssd.conf.5.xml:758
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:635
+#: sssd.conf.5.xml:655
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -940,14 +966,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:645
+#: sssd.conf.5.xml:665
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:650
+#: sssd.conf.5.xml:670
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -956,39 +982,44 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:661
+#: sssd.conf.5.xml:681
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:664
+#: sssd.conf.5.xml:684
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:688
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:693
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676
+#: sssd.conf.5.xml:696
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:700
+msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:685
+#: sssd.conf.5.xml:709
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:688
+#: sssd.conf.5.xml:712
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -997,47 +1028,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:695
+#: sssd.conf.5.xml:719
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:725
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:728
 msgid "The Data Provider identity backend to use for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:708
+#: sssd.conf.5.xml:732
 msgid "Supported backends:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:711
+#: sssd.conf.5.xml:735
 msgid "proxy: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:714
+#: sssd.conf.5.xml:738
 msgid "local: SSSD internal local provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:717
+#: sssd.conf.5.xml:741
 msgid "ldap: LDAP provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:747
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:750
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -1046,19 +1077,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:739
+#: sssd.conf.5.xml:763
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:766
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:746
+#: sssd.conf.5.xml:770
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1066,7 +1097,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:777
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1074,30 +1105,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:784
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:787
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:766
+#: sssd.conf.5.xml:790
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:796
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:775
+#: sssd.conf.5.xml:799
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -1105,17 +1136,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:781
+#: sssd.conf.5.xml:805
 msgid "<quote>permit</quote> always allow access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:784
+#: sssd.conf.5.xml:808
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:811
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -1124,24 +1155,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:818
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:823
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:826
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:831
 msgid ""
 "<quote>ipa</quote> to change a password stored in an IPA server.  See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -1149,7 +1180,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:815
+#: sssd.conf.5.xml:839
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -1157,7 +1188,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:823
+#: sssd.conf.5.xml:847
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1165,72 +1196,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:831
+#: sssd.conf.5.xml:855
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:835
+#: sssd.conf.5.xml:859
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838
+#: sssd.conf.5.xml:862
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:845
+#: sssd.conf.5.xml:869
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:848
+#: sssd.conf.5.xml:872
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:876
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:855
+#: sssd.conf.5.xml:879
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:858
+#: sssd.conf.5.xml:882
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:861
+#: sssd.conf.5.xml:885
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:864
+#: sssd.conf.5.xml:888
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:867
+#: sssd.conf.5.xml:891
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:873
+#: sssd.conf.5.xml:897
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:876
+#: sssd.conf.5.xml:900
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -1238,34 +1269,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:912
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:891
+#: sssd.conf.5.xml:915
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:919
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:901
+#: sssd.conf.5.xml:925
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:904
+#: sssd.conf.5.xml:928
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:579
+#: sssd.conf.5.xml:599
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -1273,29 +1304,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:940
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:943
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:922
+#: sssd.conf.5.xml:946
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:954
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:933
+#: sssd.conf.5.xml:957
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -1303,19 +1334,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:912
+#: sssd.conf.5.xml:936
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:945
+#: sssd.conf.5.xml:969
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:971
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -1323,73 +1354,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:954
+#: sssd.conf.5.xml:978
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:981
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:985
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:966
+#: sssd.conf.5.xml:990
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:969
+#: sssd.conf.5.xml:993
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974
+#: sssd.conf.5.xml:998
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1003
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1006
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986 sssd.conf.5.xml:998
+#: sssd.conf.5.xml:1010 sssd.conf.5.xml:1022
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:991
+#: sssd.conf.5.xml:1015
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:994
+#: sssd.conf.5.xml:1018
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1003
+#: sssd.conf.5.xml:1027
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1030
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -1397,17 +1428,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014
+#: sssd.conf.5.xml:1038
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1043
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1022
+#: sssd.conf.5.xml:1046
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -1416,17 +1447,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:1056
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1037
+#: sssd.conf.5.xml:1061
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1040
+#: sssd.conf.5.xml:1064
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -1434,17 +1465,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1047
+#: sssd.conf.5.xml:1071
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1076
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1055
+#: sssd.conf.5.xml:1079
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -1452,18 +1483,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1061
+#: sssd.conf.5.xml:1085
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1071 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
-#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:405
+#: sssd.conf.5.xml:1095 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
+#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:408
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:1077
+#: sssd.conf.5.xml:1101
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -1493,7 +1524,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1073
+#: sssd.conf.5.xml:1097
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -1502,7 +1533,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1108
+#: sssd.conf.5.xml:1132
 msgid ""
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
@@ -1602,10 +1633,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:88
 msgid ""
-"Specifies the list of URIs of the LDAP servers to which SSSD should connect "
-"in the order of preference to change the password of a user. Refer to the "
-"<quote>FAILOVER</quote> section for more information on failover and server "
-"redundancy."
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference to change the password of a user. "
+"Refer to the <quote>FAILOVER</quote> section for more information on "
+"failover and server redundancy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -2085,7 +2116,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:519 sssd-ldap.5.xml:990 sssd-ipa.5.xml:115 sssd.8.xml:64
-#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:266
+#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:269
 msgid "Default: false"
 msgstr ""
 
@@ -2526,7 +2557,7 @@ msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:356
+#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:359
 msgid "Default: not set"
 msgstr ""
 
@@ -2667,12 +2698,13 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:1080 sssd-krb5.5.xml:77
 msgid ""
-"Specifies the list of IP addresses or hostnames of the Kerberos servers to "
-"which SSSD should connect in the order of preference. For more information "
-"on failover and server redundancy, see the <quote>FAILOVER</quote> section. "
-"An optional port number (preceded by a colon) may be appended to the "
-"addresses or hostnames.  If empty, service discovery is enabled - for more "
-"information, refer to the <quote>SERVICE DISCOVERY</quote> section."
+"Specifies the comma-separated list of IP addresses or hostnames of the "
+"Kerberos servers to which SSSD should connect in the order of preference. "
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
+"colon) may be appended to the addresses or hostnames.  If empty, service "
+"discovery is enabled - for more information, refer to the <quote>SERVICE "
+"DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -3057,7 +3089,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ldap.5.xml:1407 sssd-simple.5.xml:134 sssd-ipa.5.xml:238
-#: sssd-krb5.5.xml:414
+#: sssd-krb5.5.xml:417
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -3104,7 +3136,8 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
 #: pam_sss.8.xml:24
 msgid ""
-"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>forward_pass</"
+"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
@@ -3112,7 +3145,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:42
+#: pam_sss.8.xml:45
 msgid ""
 "<command>pam_sss.so</command> is the PAM interface to the System Security "
 "Services daemon (SSSD). Errors and results are logged through <command>syslog"
@@ -3120,24 +3153,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:52
+#: pam_sss.8.xml:55
+msgid "<option>quiet</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:58
+msgid "Suppress log messages for unknown users."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:63
 msgid "<option>forward_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:55
+#: pam_sss.8.xml:66
 msgid ""
 "If <option>forward_pass</option> is set the entered password is put on the "
 "stack for other PAM modules to use."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:62
+#: pam_sss.8.xml:73
 msgid "<option>use_first_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:65
+#: pam_sss.8.xml:76
 msgid ""
 "The argument use_first_pass forces the module to use a previous stacked "
 "modules password and will never prompt the user - if no password is "
@@ -3145,31 +3188,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:73
+#: pam_sss.8.xml:84
 msgid "<option>use_authtok</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:76
+#: pam_sss.8.xml:87
 msgid ""
 "When password changing enforce the module to set the new password to the one "
 "provided by a previously stacked password module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:83
+#: pam_sss.8.xml:94
 msgid "<option>retry=N</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:86
+#: pam_sss.8.xml:97
 msgid ""
 "If specified the user is asked another N times for a password if "
 "authentication fails. Default is 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:88
+#: pam_sss.8.xml:99
 msgid ""
 "Please note that this option might not work as expected if the application "
 "calling PAM handles the user dialog on its own. A typical example is "
@@ -3177,24 +3220,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:99
+#: pam_sss.8.xml:110
 msgid "MODULE TYPES PROVIDED"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:100
+#: pam_sss.8.xml:111
 msgid ""
 "All module types (<option>account</option>, <option>auth</option>, "
 "<option>password</option> and <option>session</option>) are provided."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:106
+#: pam_sss.8.xml:117
 msgid "FILES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:107
+#: pam_sss.8.xml:118
 msgid ""
 "If a password reset by root fails, because the corresponding SSSD provider "
 "does not support password resets, an individual message can be displayed. "
@@ -3202,7 +3245,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:112
+#: pam_sss.8.xml:123
 msgid ""
 "The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
 "filename> where LOC stands for a locale string returned by <citerefentry> "
@@ -3214,7 +3257,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:122
+#: pam_sss.8.xml:133
 msgid ""
 "These files are searched in the directory <filename>/etc/sssd/customize/"
 "DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
@@ -3222,7 +3265,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:130
+#: pam_sss.8.xml:141
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>8</"
 "manvolnum> </citerefentry>"
@@ -3482,11 +3525,11 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ipa.5.xml:83
 msgid ""
-"The list of IP addresses or hostnames of the IPA servers to which SSSD "
-"should connect in the order of preference. For more information on failover "
-"and server redundancy, see the <quote>FAILOVER</quote> section.  This is "
-"optional if autodiscovery is enabled.  For more information on service "
-"discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
+"The comma-separated list of IP addresses or hostnames of the IPA servers to "
+"which SSSD should connect in the order of preference. For more information "
+"on failover and server redundancy, see the <quote>FAILOVER</quote> section.  "
+"This is optional if autodiscovery is enabled.  For more information on "
+"service discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
@@ -4302,48 +4345,50 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:262
 msgid ""
-"Please note that this feature currently only available on a Linux platform."
+"Please note that this feature currently only available on a Linux platform. "
+"Passwords stored in this way are kept in plaintext in the kernel keyring and "
+"are potentially accessible by the root user (with difficulty)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:272
+#: sssd-krb5.5.xml:275
 msgid "krb5_renewable_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:275
+#: sssd-krb5.5.xml:278
 msgid ""
 "Request a renewable ticket with a total lifetime given by an integer "
 "immediately followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:280 sssd-krb5.5.xml:316
+#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
 msgid "<emphasis>s</emphasis> seconds"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
+#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
 msgid "<emphasis>m</emphasis> minutes"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
+#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
 msgid "<emphasis>h</emphasis> hours"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
+#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
 msgid "<emphasis>d</emphasis> days."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
+#: sssd-krb5.5.xml:295 sssd-krb5.5.xml:331
 msgid "If there is no delimiter <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:296
+#: sssd-krb5.5.xml:299
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "renewable lifetime to one and a half hours please use '90m' instead of "
@@ -4351,97 +4396,97 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:302
+#: sssd-krb5.5.xml:305
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:308
+#: sssd-krb5.5.xml:311
 msgid "krb5_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:311
+#: sssd-krb5.5.xml:314
 msgid ""
 "Request ticket with a with a lifetime given by an integer immediately "
 "followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:332
+#: sssd-krb5.5.xml:335
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "lifetime to one and a half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:337
+#: sssd-krb5.5.xml:340
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:344
+#: sssd-krb5.5.xml:347
 msgid "krb5_renew_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:347
+#: sssd-krb5.5.xml:350
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:352
+#: sssd-krb5.5.xml:355
 msgid "If this option is not set or 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:362
+#: sssd-krb5.5.xml:365
 msgid "krb5_use_fast (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:365
+#: sssd-krb5.5.xml:368
 msgid ""
 "Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
 "authentication. The following options are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:370
+#: sssd-krb5.5.xml:373
 msgid ""
 "<emphasis>never</emphasis> use FAST, this is equivalent to not set this "
 "option at all."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:374
+#: sssd-krb5.5.xml:377
 msgid ""
 "<emphasis>try</emphasis> to use FAST, if the server does not support fast "
 "continue without."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:378
+#: sssd-krb5.5.xml:381
 msgid ""
 "<emphasis>demand</emphasis> to use FAST, fail if the server does not require "
 "fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:382
+#: sssd-krb5.5.xml:385
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:385
+#: sssd-krb5.5.xml:388
 msgid "Please note that a keytab is required to use fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:388
+#: sssd-krb5.5.xml:391
 msgid ""
 "Please note also that sssd supports fast only with MIT Kerberos version 1.8 "
 "and above. If sssd used used with an older version using this option is a "
@@ -4459,7 +4504,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:407
+#: sssd-krb5.5.xml:410
 msgid ""
 "The following example assumes that SSSD is correctly configured and FOO is "
 "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
@@ -4468,7 +4513,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-krb5.5.xml:415
+#: sssd-krb5.5.xml:418
 #, no-wrap
 msgid ""
 "    [domain/FOO]\n"
@@ -4478,7 +4523,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:426
+#: sssd-krb5.5.xml:429
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
diff --git a/src/man/po/ro.po b/src/man/po/ro.po
index 29ba5a8d..d662f45c 100644
--- a/src/man/po/ro.po
+++ b/src/man/po/ro.po
@@ -2,12 +2,13 @@
 # Copyright (C) YEAR Red Hat
 # This file is distributed under the same license as the sssd-docs package.
 #
+# Translators:
 msgid ""
 msgstr ""
 "Project-Id-Version: SSSD\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2011-08-29 10:42-0300\n"
-"PO-Revision-Date: 2011-08-05 11:40+0000\n"
+"POT-Creation-Date: 2011-10-18 13:34-0300\n"
+"PO-Revision-Date: 2010-12-23 15:35+0000\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Romanian (http://www.transifex.net/projects/p/fedora/team/"
 "ro/)\n"
@@ -54,7 +55,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:41
+#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:44
 #: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21
 #: sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_useradd.8.xml:30
 #: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30
@@ -70,7 +71,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:39 pam_sss.8.xml:48 sssd.8.xml:42 sss_obfuscate.8.xml:58
+#: sss_groupmod.8.xml:39 pam_sss.8.xml:51 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
 msgid "OPTIONS"
@@ -106,10 +107,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1106 sssd-ldap.5.xml:1432
-#: pam_sss.8.xml:128 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
+#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1130 sssd-ldap.5.xml:1432
+#: pam_sss.8.xml:139 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
 #: sssd-ipa.5.xml:248 sssd.8.xml:166 sss_obfuscate.8.xml:103
-#: sss_useradd.8.xml:167 sssd-krb5.5.xml:424 sss_groupadd.8.xml:58
+#: sss_useradd.8.xml:167 sssd-krb5.5.xml:427 sss_groupadd.8.xml:58
 #: sss_userdel.8.xml:93 sss_groupdel.8.xml:46 sss_groupshow.8.xml:58
 #: sss_usermod.8.xml:138
 msgid "SEE ALSO"
@@ -215,7 +216,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:70 sssd.conf.5.xml:952
+#: sssd.conf.5.xml:70 sssd.conf.5.xml:976
 msgid "Section parameters"
 msgstr ""
 
@@ -248,19 +249,19 @@ msgid "Supported services: nss, pam"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:93 sssd.conf.5.xml:234
+#: sssd.conf.5.xml:93 sssd.conf.5.xml:254
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:96 sssd.conf.5.xml:237
+#: sssd.conf.5.xml:96 sssd.conf.5.xml:257
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:101 sssd.conf.5.xml:242
+#: sssd.conf.5.xml:101 sssd.conf.5.xml:262
 msgid "Default: 3"
 msgstr ""
 
@@ -367,6 +368,32 @@ msgid ""
 "unavailable. On these platforms, polling will always be used."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:189
+msgid "krb5_rcache_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:192
+msgid ""
+"Directory on the filesystem where SSSD should store Kerberos replay cache "
+"files."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:196
+msgid ""
+"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
+"SSSD to let libkrb5 decide the appropriate location for the replay cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:202
+msgid ""
+"Default: Distribution-specific and specified at build-time. "
+"(__LIBKRB5_DEFAULTS__ if not configured)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:63
 msgid ""
@@ -379,12 +406,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:195
+#: sssd.conf.5.xml:215
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:197
+#: sssd.conf.5.xml:217
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -393,55 +420,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:204
+#: sssd.conf.5.xml:224
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:206
+#: sssd.conf.5.xml:226
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:210
+#: sssd.conf.5.xml:230
 msgid "debug_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:213
+#: sssd.conf.5.xml:233
 msgid ""
 "Sets the debug level for the service. The value can be in range from 0 (only "
 "critical messages) to 10 (very verbose)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:218 sssd.conf.5.xml:312
+#: sssd.conf.5.xml:238 sssd.conf.5.xml:332
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:223 sssd.8.xml:58
+#: sssd.conf.5.xml:243 sssd.8.xml:58
 msgid "debug_timestamps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:226 sssd.8.xml:61
+#: sssd.conf.5.xml:246 sssd.8.xml:61
 msgid "Add a timestamp to the debug messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:229 sssd.conf.5.xml:353 sssd-ldap.5.xml:1058
+#: sssd.conf.5.xml:249 sssd.conf.5.xml:373 sssd-ldap.5.xml:1058
 #: sssd-ldap.5.xml:1163 sssd-ipa.5.xml:155
 msgid "Default: true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:247
+#: sssd.conf.5.xml:267
 msgid "command (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:250
+#: sssd.conf.5.xml:270
 msgid ""
 "By default, the executable representing this service is called <command>sssd_"
 "${service_name}</command>.  This directive allows to change the executable "
@@ -450,45 +477,45 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:258
+#: sssd.conf.5.xml:278
 msgid "Default: <command>sssd_${service_name}</command>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:266
+#: sssd.conf.5.xml:286
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:268
+#: sssd.conf.5.xml:288
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:273
+#: sssd.conf.5.xml:293
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:276
+#: sssd.conf.5.xml:296
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:280
+#: sssd.conf.5.xml:300
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:285
+#: sssd.conf.5.xml:305
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:288
+#: sssd.conf.5.xml:308
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -496,7 +523,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:294
+#: sssd.conf.5.xml:314
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -506,7 +533,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304
+#: sssd.conf.5.xml:324
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -515,12 +542,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:317
+#: sssd.conf.5.xml:337
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:320
+#: sssd.conf.5.xml:340
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -528,17 +555,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:326 sssd-krb5.5.xml:223
+#: sssd.conf.5.xml:346 sssd-krb5.5.xml:223
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:331
+#: sssd.conf.5.xml:351
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:334
+#: sssd.conf.5.xml:354
 msgid ""
 "Exclude certain users from being fetched from the sss NSS database. This is "
 "particularly useful for system accounts. This option can also be set per-"
@@ -547,78 +574,78 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:341
+#: sssd.conf.5.xml:361
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:346
+#: sssd.conf.5.xml:366
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:369
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:358
+#: sssd.conf.5.xml:378
 msgid "override_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:367 sssd-krb5.5.xml:166
+#: sssd.conf.5.xml:387 sssd-krb5.5.xml:166
 msgid "%u"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:368 sssd-krb5.5.xml:167
+#: sssd.conf.5.xml:388 sssd-krb5.5.xml:167
 msgid "login name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:371 sssd-krb5.5.xml:170
+#: sssd.conf.5.xml:391 sssd-krb5.5.xml:170
 msgid "%U"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:392
 msgid "UID number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:375 sssd-krb5.5.xml:188
+#: sssd.conf.5.xml:395 sssd-krb5.5.xml:188
 msgid "%d"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:376
+#: sssd.conf.5.xml:396
 msgid "domain name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:379
+#: sssd.conf.5.xml:399
 msgid "%f"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:380
+#: sssd.conf.5.xml:400
 msgid "fully qualified user name (user@domain)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:383 sssd-krb5.5.xml:200
+#: sssd.conf.5.xml:403 sssd-krb5.5.xml:200
 msgid "%%"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:384 sssd-krb5.5.xml:201
+#: sssd.conf.5.xml:404 sssd-krb5.5.xml:201
 msgid "a literal '%'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:361
+#: sssd.conf.5.xml:381
 msgid ""
 "Override the user's home directory. You can either provide an absolute value "
 "or a template. In the template, the following sequences are substituted: "
@@ -626,138 +653,138 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:390
+#: sssd.conf.5.xml:410
 msgid "This option can also be set per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:395
+#: sssd.conf.5.xml:415
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:398
+#: sssd.conf.5.xml:418
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:401
+#: sssd.conf.5.xml:421
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:405
+#: sssd.conf.5.xml:425
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:410
+#: sssd.conf.5.xml:430
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:415
+#: sssd.conf.5.xml:435
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:418
+#: sssd.conf.5.xml:438
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:422
+#: sssd.conf.5.xml:442
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:427
+#: sssd.conf.5.xml:447
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:430
+#: sssd.conf.5.xml:450
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:435
+#: sssd.conf.5.xml:455
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:438
+#: sssd.conf.5.xml:458
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:442
+#: sssd.conf.5.xml:462
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:469
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:451
+#: sssd.conf.5.xml:471
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:456
+#: sssd.conf.5.xml:476
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:459
+#: sssd.conf.5.xml:479
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:464 sssd.conf.5.xml:477
+#: sssd.conf.5.xml:484 sssd.conf.5.xml:497
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:490
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:473
+#: sssd.conf.5.xml:493
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:483
+#: sssd.conf.5.xml:503
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:506
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:491
+#: sssd.conf.5.xml:511
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -765,59 +792,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:497 sssd.conf.5.xml:550 sssd.conf.5.xml:882
+#: sssd.conf.5.xml:517 sssd.conf.5.xml:570 sssd.conf.5.xml:906
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:523
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:506
+#: sssd.conf.5.xml:526
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:511
+#: sssd.conf.5.xml:531
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:514
+#: sssd.conf.5.xml:534
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:517
+#: sssd.conf.5.xml:537
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:541
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:524
+#: sssd.conf.5.xml:544
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:528
+#: sssd.conf.5.xml:548
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:533
+#: sssd.conf.5.xml:553
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:536
+#: sssd.conf.5.xml:556
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -825,7 +852,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:542
+#: sssd.conf.5.xml:562
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -834,17 +861,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:556
+#: sssd.conf.5.xml:576
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:559
+#: sssd.conf.5.xml:579
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:562
+#: sssd.conf.5.xml:582
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -852,29 +879,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:588
 msgid "Default: 7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:577
+#: sssd.conf.5.xml:597
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:584
+#: sssd.conf.5.xml:604
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:587
+#: sssd.conf.5.xml:607
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:592
+#: sssd.conf.5.xml:612
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -883,56 +910,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:599
+#: sssd.conf.5.xml:619
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:625
 msgid "timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:608
+#: sssd.conf.5.xml:628
 msgid ""
 "Timeout in seconds between heartbeats for this domain.  This is used to "
 "ensure that the backend process is alive and capable of answering requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:633
 msgid "Default: 10"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:639
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:642
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:626
+#: sssd.conf.5.xml:646
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:629
+#: sssd.conf.5.xml:649
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:632 sssd.conf.5.xml:680 sssd.conf.5.xml:734
+#: sssd.conf.5.xml:652 sssd.conf.5.xml:704 sssd.conf.5.xml:758
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:635
+#: sssd.conf.5.xml:655
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -942,14 +969,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:645
+#: sssd.conf.5.xml:665
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:650
+#: sssd.conf.5.xml:670
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -958,39 +985,44 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:661
+#: sssd.conf.5.xml:681
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:664
+#: sssd.conf.5.xml:684
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:688
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:693
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676
+#: sssd.conf.5.xml:696
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:700
+msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:685
+#: sssd.conf.5.xml:709
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:688
+#: sssd.conf.5.xml:712
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -999,47 +1031,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:695
+#: sssd.conf.5.xml:719
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:725
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:728
 msgid "The Data Provider identity backend to use for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:708
+#: sssd.conf.5.xml:732
 msgid "Supported backends:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:711
+#: sssd.conf.5.xml:735
 msgid "proxy: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:714
+#: sssd.conf.5.xml:738
 msgid "local: SSSD internal local provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:717
+#: sssd.conf.5.xml:741
 msgid "ldap: LDAP provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:747
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:750
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -1048,19 +1080,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:739
+#: sssd.conf.5.xml:763
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:766
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:746
+#: sssd.conf.5.xml:770
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1068,7 +1100,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:777
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1076,30 +1108,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:784
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:787
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:766
+#: sssd.conf.5.xml:790
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:796
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:775
+#: sssd.conf.5.xml:799
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -1107,17 +1139,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:781
+#: sssd.conf.5.xml:805
 msgid "<quote>permit</quote> always allow access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:784
+#: sssd.conf.5.xml:808
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:811
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -1126,24 +1158,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:818
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:823
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:826
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:831
 msgid ""
 "<quote>ipa</quote> to change a password stored in an IPA server.  See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -1151,7 +1183,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:815
+#: sssd.conf.5.xml:839
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -1159,7 +1191,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:823
+#: sssd.conf.5.xml:847
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1167,72 +1199,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:831
+#: sssd.conf.5.xml:855
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:835
+#: sssd.conf.5.xml:859
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838
+#: sssd.conf.5.xml:862
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:845
+#: sssd.conf.5.xml:869
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:848
+#: sssd.conf.5.xml:872
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:876
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:855
+#: sssd.conf.5.xml:879
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:858
+#: sssd.conf.5.xml:882
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:861
+#: sssd.conf.5.xml:885
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:864
+#: sssd.conf.5.xml:888
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:867
+#: sssd.conf.5.xml:891
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:873
+#: sssd.conf.5.xml:897
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:876
+#: sssd.conf.5.xml:900
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -1240,34 +1272,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:912
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:891
+#: sssd.conf.5.xml:915
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:919
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:901
+#: sssd.conf.5.xml:925
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:904
+#: sssd.conf.5.xml:928
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:579
+#: sssd.conf.5.xml:599
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -1275,29 +1307,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:940
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:943
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:922
+#: sssd.conf.5.xml:946
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:954
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:933
+#: sssd.conf.5.xml:957
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -1305,19 +1337,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:912
+#: sssd.conf.5.xml:936
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:945
+#: sssd.conf.5.xml:969
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:971
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -1325,73 +1357,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:954
+#: sssd.conf.5.xml:978
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:981
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:985
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:966
+#: sssd.conf.5.xml:990
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:969
+#: sssd.conf.5.xml:993
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974
+#: sssd.conf.5.xml:998
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1003
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1006
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986 sssd.conf.5.xml:998
+#: sssd.conf.5.xml:1010 sssd.conf.5.xml:1022
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:991
+#: sssd.conf.5.xml:1015
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:994
+#: sssd.conf.5.xml:1018
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1003
+#: sssd.conf.5.xml:1027
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1030
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -1399,17 +1431,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014
+#: sssd.conf.5.xml:1038
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1043
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1022
+#: sssd.conf.5.xml:1046
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -1418,17 +1450,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:1056
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1037
+#: sssd.conf.5.xml:1061
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1040
+#: sssd.conf.5.xml:1064
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -1436,17 +1468,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1047
+#: sssd.conf.5.xml:1071
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1076
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1055
+#: sssd.conf.5.xml:1079
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -1454,18 +1486,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1061
+#: sssd.conf.5.xml:1085
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1071 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
-#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:405
+#: sssd.conf.5.xml:1095 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
+#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:408
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:1077
+#: sssd.conf.5.xml:1101
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -1495,7 +1527,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1073
+#: sssd.conf.5.xml:1097
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -1504,7 +1536,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1108
+#: sssd.conf.5.xml:1132
 msgid ""
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
@@ -1604,10 +1636,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:88
 msgid ""
-"Specifies the list of URIs of the LDAP servers to which SSSD should connect "
-"in the order of preference to change the password of a user. Refer to the "
-"<quote>FAILOVER</quote> section for more information on failover and server "
-"redundancy."
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference to change the password of a user. "
+"Refer to the <quote>FAILOVER</quote> section for more information on "
+"failover and server redundancy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -2087,7 +2119,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:519 sssd-ldap.5.xml:990 sssd-ipa.5.xml:115 sssd.8.xml:64
-#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:266
+#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:269
 msgid "Default: false"
 msgstr ""
 
@@ -2528,7 +2560,7 @@ msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:356
+#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:359
 msgid "Default: not set"
 msgstr ""
 
@@ -2669,12 +2701,13 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:1080 sssd-krb5.5.xml:77
 msgid ""
-"Specifies the list of IP addresses or hostnames of the Kerberos servers to "
-"which SSSD should connect in the order of preference. For more information "
-"on failover and server redundancy, see the <quote>FAILOVER</quote> section. "
-"An optional port number (preceded by a colon) may be appended to the "
-"addresses or hostnames.  If empty, service discovery is enabled - for more "
-"information, refer to the <quote>SERVICE DISCOVERY</quote> section."
+"Specifies the comma-separated list of IP addresses or hostnames of the "
+"Kerberos servers to which SSSD should connect in the order of preference. "
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
+"colon) may be appended to the addresses or hostnames.  If empty, service "
+"discovery is enabled - for more information, refer to the <quote>SERVICE "
+"DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -3059,7 +3092,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ldap.5.xml:1407 sssd-simple.5.xml:134 sssd-ipa.5.xml:238
-#: sssd-krb5.5.xml:414
+#: sssd-krb5.5.xml:417
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -3106,7 +3139,8 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
 #: pam_sss.8.xml:24
 msgid ""
-"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>forward_pass</"
+"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
@@ -3114,7 +3148,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:42
+#: pam_sss.8.xml:45
 msgid ""
 "<command>pam_sss.so</command> is the PAM interface to the System Security "
 "Services daemon (SSSD). Errors and results are logged through <command>syslog"
@@ -3122,24 +3156,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:52
+#: pam_sss.8.xml:55
+msgid "<option>quiet</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:58
+msgid "Suppress log messages for unknown users."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:63
 msgid "<option>forward_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:55
+#: pam_sss.8.xml:66
 msgid ""
 "If <option>forward_pass</option> is set the entered password is put on the "
 "stack for other PAM modules to use."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:62
+#: pam_sss.8.xml:73
 msgid "<option>use_first_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:65
+#: pam_sss.8.xml:76
 msgid ""
 "The argument use_first_pass forces the module to use a previous stacked "
 "modules password and will never prompt the user - if no password is "
@@ -3147,31 +3191,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:73
+#: pam_sss.8.xml:84
 msgid "<option>use_authtok</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:76
+#: pam_sss.8.xml:87
 msgid ""
 "When password changing enforce the module to set the new password to the one "
 "provided by a previously stacked password module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:83
+#: pam_sss.8.xml:94
 msgid "<option>retry=N</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:86
+#: pam_sss.8.xml:97
 msgid ""
 "If specified the user is asked another N times for a password if "
 "authentication fails. Default is 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:88
+#: pam_sss.8.xml:99
 msgid ""
 "Please note that this option might not work as expected if the application "
 "calling PAM handles the user dialog on its own. A typical example is "
@@ -3179,24 +3223,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:99
+#: pam_sss.8.xml:110
 msgid "MODULE TYPES PROVIDED"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:100
+#: pam_sss.8.xml:111
 msgid ""
 "All module types (<option>account</option>, <option>auth</option>, "
 "<option>password</option> and <option>session</option>) are provided."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:106
+#: pam_sss.8.xml:117
 msgid "FILES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:107
+#: pam_sss.8.xml:118
 msgid ""
 "If a password reset by root fails, because the corresponding SSSD provider "
 "does not support password resets, an individual message can be displayed. "
@@ -3204,7 +3248,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:112
+#: pam_sss.8.xml:123
 msgid ""
 "The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
 "filename> where LOC stands for a locale string returned by <citerefentry> "
@@ -3216,7 +3260,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:122
+#: pam_sss.8.xml:133
 msgid ""
 "These files are searched in the directory <filename>/etc/sssd/customize/"
 "DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
@@ -3224,7 +3268,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:130
+#: pam_sss.8.xml:141
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>8</"
 "manvolnum> </citerefentry>"
@@ -3484,11 +3528,11 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ipa.5.xml:83
 msgid ""
-"The list of IP addresses or hostnames of the IPA servers to which SSSD "
-"should connect in the order of preference. For more information on failover "
-"and server redundancy, see the <quote>FAILOVER</quote> section.  This is "
-"optional if autodiscovery is enabled.  For more information on service "
-"discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
+"The comma-separated list of IP addresses or hostnames of the IPA servers to "
+"which SSSD should connect in the order of preference. For more information "
+"on failover and server redundancy, see the <quote>FAILOVER</quote> section.  "
+"This is optional if autodiscovery is enabled.  For more information on "
+"service discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
@@ -4304,48 +4348,50 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:262
 msgid ""
-"Please note that this feature currently only available on a Linux platform."
+"Please note that this feature currently only available on a Linux platform. "
+"Passwords stored in this way are kept in plaintext in the kernel keyring and "
+"are potentially accessible by the root user (with difficulty)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:272
+#: sssd-krb5.5.xml:275
 msgid "krb5_renewable_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:275
+#: sssd-krb5.5.xml:278
 msgid ""
 "Request a renewable ticket with a total lifetime given by an integer "
 "immediately followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:280 sssd-krb5.5.xml:316
+#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
 msgid "<emphasis>s</emphasis> seconds"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
+#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
 msgid "<emphasis>m</emphasis> minutes"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
+#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
 msgid "<emphasis>h</emphasis> hours"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
+#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
 msgid "<emphasis>d</emphasis> days."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
+#: sssd-krb5.5.xml:295 sssd-krb5.5.xml:331
 msgid "If there is no delimiter <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:296
+#: sssd-krb5.5.xml:299
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "renewable lifetime to one and a half hours please use '90m' instead of "
@@ -4353,97 +4399,97 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:302
+#: sssd-krb5.5.xml:305
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:308
+#: sssd-krb5.5.xml:311
 msgid "krb5_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:311
+#: sssd-krb5.5.xml:314
 msgid ""
 "Request ticket with a with a lifetime given by an integer immediately "
 "followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:332
+#: sssd-krb5.5.xml:335
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "lifetime to one and a half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:337
+#: sssd-krb5.5.xml:340
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:344
+#: sssd-krb5.5.xml:347
 msgid "krb5_renew_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:347
+#: sssd-krb5.5.xml:350
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:352
+#: sssd-krb5.5.xml:355
 msgid "If this option is not set or 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:362
+#: sssd-krb5.5.xml:365
 msgid "krb5_use_fast (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:365
+#: sssd-krb5.5.xml:368
 msgid ""
 "Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
 "authentication. The following options are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:370
+#: sssd-krb5.5.xml:373
 msgid ""
 "<emphasis>never</emphasis> use FAST, this is equivalent to not set this "
 "option at all."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:374
+#: sssd-krb5.5.xml:377
 msgid ""
 "<emphasis>try</emphasis> to use FAST, if the server does not support fast "
 "continue without."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:378
+#: sssd-krb5.5.xml:381
 msgid ""
 "<emphasis>demand</emphasis> to use FAST, fail if the server does not require "
 "fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:382
+#: sssd-krb5.5.xml:385
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:385
+#: sssd-krb5.5.xml:388
 msgid "Please note that a keytab is required to use fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:388
+#: sssd-krb5.5.xml:391
 msgid ""
 "Please note also that sssd supports fast only with MIT Kerberos version 1.8 "
 "and above. If sssd used used with an older version using this option is a "
@@ -4461,7 +4507,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:407
+#: sssd-krb5.5.xml:410
 msgid ""
 "The following example assumes that SSSD is correctly configured and FOO is "
 "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
@@ -4470,7 +4516,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-krb5.5.xml:415
+#: sssd-krb5.5.xml:418
 #, no-wrap
 msgid ""
 "    [domain/FOO]\n"
@@ -4480,7 +4526,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:426
+#: sssd-krb5.5.xml:429
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
diff --git a/src/man/po/ru.po b/src/man/po/ru.po
index 7d597c2f..269a8ef6 100644
--- a/src/man/po/ru.po
+++ b/src/man/po/ru.po
@@ -6,7 +6,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: SSSD\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2011-08-29 10:42-0300\n"
+"POT-Creation-Date: 2011-10-18 13:34-0300\n"
 "PO-Revision-Date: 2011-05-27 19:59+0000\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Russian <trans-ru@lists.fedoraproject.org>\n"
@@ -53,7 +53,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:41
+#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:44
 #: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21
 #: sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_useradd.8.xml:30
 #: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30
@@ -69,7 +69,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:39 pam_sss.8.xml:48 sssd.8.xml:42 sss_obfuscate.8.xml:58
+#: sss_groupmod.8.xml:39 pam_sss.8.xml:51 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
 msgid "OPTIONS"
@@ -105,10 +105,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1106 sssd-ldap.5.xml:1432
-#: pam_sss.8.xml:128 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
+#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1130 sssd-ldap.5.xml:1432
+#: pam_sss.8.xml:139 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
 #: sssd-ipa.5.xml:248 sssd.8.xml:166 sss_obfuscate.8.xml:103
-#: sss_useradd.8.xml:167 sssd-krb5.5.xml:424 sss_groupadd.8.xml:58
+#: sss_useradd.8.xml:167 sssd-krb5.5.xml:427 sss_groupadd.8.xml:58
 #: sss_userdel.8.xml:93 sss_groupdel.8.xml:46 sss_groupshow.8.xml:58
 #: sss_usermod.8.xml:138
 msgid "SEE ALSO"
@@ -214,7 +214,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:70 sssd.conf.5.xml:952
+#: sssd.conf.5.xml:70 sssd.conf.5.xml:976
 msgid "Section parameters"
 msgstr ""
 
@@ -247,19 +247,19 @@ msgid "Supported services: nss, pam"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:93 sssd.conf.5.xml:234
+#: sssd.conf.5.xml:93 sssd.conf.5.xml:254
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:96 sssd.conf.5.xml:237
+#: sssd.conf.5.xml:96 sssd.conf.5.xml:257
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:101 sssd.conf.5.xml:242
+#: sssd.conf.5.xml:101 sssd.conf.5.xml:262
 msgid "Default: 3"
 msgstr ""
 
@@ -366,6 +366,32 @@ msgid ""
 "unavailable. On these platforms, polling will always be used."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:189
+msgid "krb5_rcache_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:192
+msgid ""
+"Directory on the filesystem where SSSD should store Kerberos replay cache "
+"files."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:196
+msgid ""
+"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
+"SSSD to let libkrb5 decide the appropriate location for the replay cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:202
+msgid ""
+"Default: Distribution-specific and specified at build-time. "
+"(__LIBKRB5_DEFAULTS__ if not configured)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:63
 msgid ""
@@ -378,12 +404,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:195
+#: sssd.conf.5.xml:215
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:197
+#: sssd.conf.5.xml:217
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -392,55 +418,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:204
+#: sssd.conf.5.xml:224
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:206
+#: sssd.conf.5.xml:226
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:210
+#: sssd.conf.5.xml:230
 msgid "debug_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:213
+#: sssd.conf.5.xml:233
 msgid ""
 "Sets the debug level for the service. The value can be in range from 0 (only "
 "critical messages) to 10 (very verbose)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:218 sssd.conf.5.xml:312
+#: sssd.conf.5.xml:238 sssd.conf.5.xml:332
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:223 sssd.8.xml:58
+#: sssd.conf.5.xml:243 sssd.8.xml:58
 msgid "debug_timestamps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:226 sssd.8.xml:61
+#: sssd.conf.5.xml:246 sssd.8.xml:61
 msgid "Add a timestamp to the debug messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:229 sssd.conf.5.xml:353 sssd-ldap.5.xml:1058
+#: sssd.conf.5.xml:249 sssd.conf.5.xml:373 sssd-ldap.5.xml:1058
 #: sssd-ldap.5.xml:1163 sssd-ipa.5.xml:155
 msgid "Default: true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:247
+#: sssd.conf.5.xml:267
 msgid "command (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:250
+#: sssd.conf.5.xml:270
 msgid ""
 "By default, the executable representing this service is called <command>sssd_"
 "${service_name}</command>.  This directive allows to change the executable "
@@ -449,45 +475,45 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:258
+#: sssd.conf.5.xml:278
 msgid "Default: <command>sssd_${service_name}</command>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:266
+#: sssd.conf.5.xml:286
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:268
+#: sssd.conf.5.xml:288
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:273
+#: sssd.conf.5.xml:293
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:276
+#: sssd.conf.5.xml:296
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:280
+#: sssd.conf.5.xml:300
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:285
+#: sssd.conf.5.xml:305
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:288
+#: sssd.conf.5.xml:308
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -495,7 +521,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:294
+#: sssd.conf.5.xml:314
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -505,7 +531,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304
+#: sssd.conf.5.xml:324
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -514,12 +540,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:317
+#: sssd.conf.5.xml:337
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:320
+#: sssd.conf.5.xml:340
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -527,17 +553,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:326 sssd-krb5.5.xml:223
+#: sssd.conf.5.xml:346 sssd-krb5.5.xml:223
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:331
+#: sssd.conf.5.xml:351
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:334
+#: sssd.conf.5.xml:354
 msgid ""
 "Exclude certain users from being fetched from the sss NSS database. This is "
 "particularly useful for system accounts. This option can also be set per-"
@@ -546,78 +572,78 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:341
+#: sssd.conf.5.xml:361
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:346
+#: sssd.conf.5.xml:366
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:369
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:358
+#: sssd.conf.5.xml:378
 msgid "override_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:367 sssd-krb5.5.xml:166
+#: sssd.conf.5.xml:387 sssd-krb5.5.xml:166
 msgid "%u"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:368 sssd-krb5.5.xml:167
+#: sssd.conf.5.xml:388 sssd-krb5.5.xml:167
 msgid "login name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:371 sssd-krb5.5.xml:170
+#: sssd.conf.5.xml:391 sssd-krb5.5.xml:170
 msgid "%U"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:392
 msgid "UID number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:375 sssd-krb5.5.xml:188
+#: sssd.conf.5.xml:395 sssd-krb5.5.xml:188
 msgid "%d"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:376
+#: sssd.conf.5.xml:396
 msgid "domain name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:379
+#: sssd.conf.5.xml:399
 msgid "%f"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:380
+#: sssd.conf.5.xml:400
 msgid "fully qualified user name (user@domain)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:383 sssd-krb5.5.xml:200
+#: sssd.conf.5.xml:403 sssd-krb5.5.xml:200
 msgid "%%"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:384 sssd-krb5.5.xml:201
+#: sssd.conf.5.xml:404 sssd-krb5.5.xml:201
 msgid "a literal '%'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:361
+#: sssd.conf.5.xml:381
 msgid ""
 "Override the user's home directory. You can either provide an absolute value "
 "or a template. In the template, the following sequences are substituted: "
@@ -625,138 +651,138 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:390
+#: sssd.conf.5.xml:410
 msgid "This option can also be set per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:395
+#: sssd.conf.5.xml:415
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:398
+#: sssd.conf.5.xml:418
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:401
+#: sssd.conf.5.xml:421
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:405
+#: sssd.conf.5.xml:425
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:410
+#: sssd.conf.5.xml:430
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:415
+#: sssd.conf.5.xml:435
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:418
+#: sssd.conf.5.xml:438
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:422
+#: sssd.conf.5.xml:442
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:427
+#: sssd.conf.5.xml:447
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:430
+#: sssd.conf.5.xml:450
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:435
+#: sssd.conf.5.xml:455
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:438
+#: sssd.conf.5.xml:458
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:442
+#: sssd.conf.5.xml:462
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:469
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:451
+#: sssd.conf.5.xml:471
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:456
+#: sssd.conf.5.xml:476
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:459
+#: sssd.conf.5.xml:479
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:464 sssd.conf.5.xml:477
+#: sssd.conf.5.xml:484 sssd.conf.5.xml:497
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:490
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:473
+#: sssd.conf.5.xml:493
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:483
+#: sssd.conf.5.xml:503
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:506
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:491
+#: sssd.conf.5.xml:511
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -764,59 +790,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:497 sssd.conf.5.xml:550 sssd.conf.5.xml:882
+#: sssd.conf.5.xml:517 sssd.conf.5.xml:570 sssd.conf.5.xml:906
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:523
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:506
+#: sssd.conf.5.xml:526
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:511
+#: sssd.conf.5.xml:531
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:514
+#: sssd.conf.5.xml:534
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:517
+#: sssd.conf.5.xml:537
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:541
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:524
+#: sssd.conf.5.xml:544
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:528
+#: sssd.conf.5.xml:548
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:533
+#: sssd.conf.5.xml:553
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:536
+#: sssd.conf.5.xml:556
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -824,7 +850,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:542
+#: sssd.conf.5.xml:562
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -833,17 +859,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:556
+#: sssd.conf.5.xml:576
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:559
+#: sssd.conf.5.xml:579
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:562
+#: sssd.conf.5.xml:582
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -851,29 +877,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:588
 msgid "Default: 7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:577
+#: sssd.conf.5.xml:597
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:584
+#: sssd.conf.5.xml:604
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:587
+#: sssd.conf.5.xml:607
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:592
+#: sssd.conf.5.xml:612
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -882,56 +908,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:599
+#: sssd.conf.5.xml:619
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:625
 msgid "timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:608
+#: sssd.conf.5.xml:628
 msgid ""
 "Timeout in seconds between heartbeats for this domain.  This is used to "
 "ensure that the backend process is alive and capable of answering requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:633
 msgid "Default: 10"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:639
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:642
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:626
+#: sssd.conf.5.xml:646
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:629
+#: sssd.conf.5.xml:649
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:632 sssd.conf.5.xml:680 sssd.conf.5.xml:734
+#: sssd.conf.5.xml:652 sssd.conf.5.xml:704 sssd.conf.5.xml:758
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:635
+#: sssd.conf.5.xml:655
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -941,14 +967,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:645
+#: sssd.conf.5.xml:665
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:650
+#: sssd.conf.5.xml:670
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -957,39 +983,44 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:661
+#: sssd.conf.5.xml:681
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:664
+#: sssd.conf.5.xml:684
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:688
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:693
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676
+#: sssd.conf.5.xml:696
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:700
+msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:685
+#: sssd.conf.5.xml:709
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:688
+#: sssd.conf.5.xml:712
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -998,47 +1029,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:695
+#: sssd.conf.5.xml:719
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:725
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:728
 msgid "The Data Provider identity backend to use for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:708
+#: sssd.conf.5.xml:732
 msgid "Supported backends:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:711
+#: sssd.conf.5.xml:735
 msgid "proxy: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:714
+#: sssd.conf.5.xml:738
 msgid "local: SSSD internal local provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:717
+#: sssd.conf.5.xml:741
 msgid "ldap: LDAP provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:747
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:750
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -1047,19 +1078,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:739
+#: sssd.conf.5.xml:763
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:766
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:746
+#: sssd.conf.5.xml:770
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1067,7 +1098,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:777
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1075,30 +1106,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:784
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:787
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:766
+#: sssd.conf.5.xml:790
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:796
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:775
+#: sssd.conf.5.xml:799
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -1106,17 +1137,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:781
+#: sssd.conf.5.xml:805
 msgid "<quote>permit</quote> always allow access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:784
+#: sssd.conf.5.xml:808
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:811
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -1125,24 +1156,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:818
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:823
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:826
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:831
 msgid ""
 "<quote>ipa</quote> to change a password stored in an IPA server.  See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -1150,7 +1181,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:815
+#: sssd.conf.5.xml:839
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -1158,7 +1189,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:823
+#: sssd.conf.5.xml:847
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1166,72 +1197,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:831
+#: sssd.conf.5.xml:855
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:835
+#: sssd.conf.5.xml:859
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838
+#: sssd.conf.5.xml:862
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:845
+#: sssd.conf.5.xml:869
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:848
+#: sssd.conf.5.xml:872
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:876
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:855
+#: sssd.conf.5.xml:879
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:858
+#: sssd.conf.5.xml:882
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:861
+#: sssd.conf.5.xml:885
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:864
+#: sssd.conf.5.xml:888
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:867
+#: sssd.conf.5.xml:891
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:873
+#: sssd.conf.5.xml:897
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:876
+#: sssd.conf.5.xml:900
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -1239,34 +1270,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:912
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:891
+#: sssd.conf.5.xml:915
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:919
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:901
+#: sssd.conf.5.xml:925
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:904
+#: sssd.conf.5.xml:928
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:579
+#: sssd.conf.5.xml:599
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -1274,29 +1305,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:940
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:943
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:922
+#: sssd.conf.5.xml:946
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:954
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:933
+#: sssd.conf.5.xml:957
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -1304,19 +1335,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:912
+#: sssd.conf.5.xml:936
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:945
+#: sssd.conf.5.xml:969
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:971
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -1324,73 +1355,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:954
+#: sssd.conf.5.xml:978
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:981
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:985
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:966
+#: sssd.conf.5.xml:990
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:969
+#: sssd.conf.5.xml:993
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974
+#: sssd.conf.5.xml:998
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1003
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1006
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986 sssd.conf.5.xml:998
+#: sssd.conf.5.xml:1010 sssd.conf.5.xml:1022
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:991
+#: sssd.conf.5.xml:1015
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:994
+#: sssd.conf.5.xml:1018
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1003
+#: sssd.conf.5.xml:1027
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1030
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -1398,17 +1429,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014
+#: sssd.conf.5.xml:1038
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1043
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1022
+#: sssd.conf.5.xml:1046
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -1417,17 +1448,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:1056
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1037
+#: sssd.conf.5.xml:1061
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1040
+#: sssd.conf.5.xml:1064
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -1435,17 +1466,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1047
+#: sssd.conf.5.xml:1071
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1076
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1055
+#: sssd.conf.5.xml:1079
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -1453,18 +1484,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1061
+#: sssd.conf.5.xml:1085
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1071 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
-#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:405
+#: sssd.conf.5.xml:1095 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
+#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:408
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:1077
+#: sssd.conf.5.xml:1101
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -1494,7 +1525,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1073
+#: sssd.conf.5.xml:1097
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -1503,7 +1534,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1108
+#: sssd.conf.5.xml:1132
 msgid ""
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
@@ -1603,10 +1634,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:88
 msgid ""
-"Specifies the list of URIs of the LDAP servers to which SSSD should connect "
-"in the order of preference to change the password of a user. Refer to the "
-"<quote>FAILOVER</quote> section for more information on failover and server "
-"redundancy."
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference to change the password of a user. "
+"Refer to the <quote>FAILOVER</quote> section for more information on "
+"failover and server redundancy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -2086,7 +2117,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:519 sssd-ldap.5.xml:990 sssd-ipa.5.xml:115 sssd.8.xml:64
-#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:266
+#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:269
 msgid "Default: false"
 msgstr ""
 
@@ -2527,7 +2558,7 @@ msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:356
+#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:359
 msgid "Default: not set"
 msgstr ""
 
@@ -2668,12 +2699,13 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:1080 sssd-krb5.5.xml:77
 msgid ""
-"Specifies the list of IP addresses or hostnames of the Kerberos servers to "
-"which SSSD should connect in the order of preference. For more information "
-"on failover and server redundancy, see the <quote>FAILOVER</quote> section. "
-"An optional port number (preceded by a colon) may be appended to the "
-"addresses or hostnames.  If empty, service discovery is enabled - for more "
-"information, refer to the <quote>SERVICE DISCOVERY</quote> section."
+"Specifies the comma-separated list of IP addresses or hostnames of the "
+"Kerberos servers to which SSSD should connect in the order of preference. "
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
+"colon) may be appended to the addresses or hostnames.  If empty, service "
+"discovery is enabled - for more information, refer to the <quote>SERVICE "
+"DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -3058,7 +3090,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ldap.5.xml:1407 sssd-simple.5.xml:134 sssd-ipa.5.xml:238
-#: sssd-krb5.5.xml:414
+#: sssd-krb5.5.xml:417
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -3105,7 +3137,8 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
 #: pam_sss.8.xml:24
 msgid ""
-"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>forward_pass</"
+"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
@@ -3113,7 +3146,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:42
+#: pam_sss.8.xml:45
 msgid ""
 "<command>pam_sss.so</command> is the PAM interface to the System Security "
 "Services daemon (SSSD). Errors and results are logged through <command>syslog"
@@ -3121,24 +3154,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:52
+#: pam_sss.8.xml:55
+msgid "<option>quiet</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:58
+msgid "Suppress log messages for unknown users."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:63
 msgid "<option>forward_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:55
+#: pam_sss.8.xml:66
 msgid ""
 "If <option>forward_pass</option> is set the entered password is put on the "
 "stack for other PAM modules to use."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:62
+#: pam_sss.8.xml:73
 msgid "<option>use_first_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:65
+#: pam_sss.8.xml:76
 msgid ""
 "The argument use_first_pass forces the module to use a previous stacked "
 "modules password and will never prompt the user - if no password is "
@@ -3146,31 +3189,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:73
+#: pam_sss.8.xml:84
 msgid "<option>use_authtok</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:76
+#: pam_sss.8.xml:87
 msgid ""
 "When password changing enforce the module to set the new password to the one "
 "provided by a previously stacked password module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:83
+#: pam_sss.8.xml:94
 msgid "<option>retry=N</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:86
+#: pam_sss.8.xml:97
 msgid ""
 "If specified the user is asked another N times for a password if "
 "authentication fails. Default is 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:88
+#: pam_sss.8.xml:99
 msgid ""
 "Please note that this option might not work as expected if the application "
 "calling PAM handles the user dialog on its own. A typical example is "
@@ -3178,24 +3221,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:99
+#: pam_sss.8.xml:110
 msgid "MODULE TYPES PROVIDED"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:100
+#: pam_sss.8.xml:111
 msgid ""
 "All module types (<option>account</option>, <option>auth</option>, "
 "<option>password</option> and <option>session</option>) are provided."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:106
+#: pam_sss.8.xml:117
 msgid "FILES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:107
+#: pam_sss.8.xml:118
 msgid ""
 "If a password reset by root fails, because the corresponding SSSD provider "
 "does not support password resets, an individual message can be displayed. "
@@ -3203,7 +3246,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:112
+#: pam_sss.8.xml:123
 msgid ""
 "The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
 "filename> where LOC stands for a locale string returned by <citerefentry> "
@@ -3215,7 +3258,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:122
+#: pam_sss.8.xml:133
 msgid ""
 "These files are searched in the directory <filename>/etc/sssd/customize/"
 "DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
@@ -3223,7 +3266,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:130
+#: pam_sss.8.xml:141
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>8</"
 "manvolnum> </citerefentry>"
@@ -3483,11 +3526,11 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ipa.5.xml:83
 msgid ""
-"The list of IP addresses or hostnames of the IPA servers to which SSSD "
-"should connect in the order of preference. For more information on failover "
-"and server redundancy, see the <quote>FAILOVER</quote> section.  This is "
-"optional if autodiscovery is enabled.  For more information on service "
-"discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
+"The comma-separated list of IP addresses or hostnames of the IPA servers to "
+"which SSSD should connect in the order of preference. For more information "
+"on failover and server redundancy, see the <quote>FAILOVER</quote> section.  "
+"This is optional if autodiscovery is enabled.  For more information on "
+"service discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
@@ -4303,48 +4346,50 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:262
 msgid ""
-"Please note that this feature currently only available on a Linux platform."
+"Please note that this feature currently only available on a Linux platform. "
+"Passwords stored in this way are kept in plaintext in the kernel keyring and "
+"are potentially accessible by the root user (with difficulty)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:272
+#: sssd-krb5.5.xml:275
 msgid "krb5_renewable_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:275
+#: sssd-krb5.5.xml:278
 msgid ""
 "Request a renewable ticket with a total lifetime given by an integer "
 "immediately followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:280 sssd-krb5.5.xml:316
+#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
 msgid "<emphasis>s</emphasis> seconds"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
+#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
 msgid "<emphasis>m</emphasis> minutes"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
+#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
 msgid "<emphasis>h</emphasis> hours"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
+#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
 msgid "<emphasis>d</emphasis> days."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
+#: sssd-krb5.5.xml:295 sssd-krb5.5.xml:331
 msgid "If there is no delimiter <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:296
+#: sssd-krb5.5.xml:299
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "renewable lifetime to one and a half hours please use '90m' instead of "
@@ -4352,97 +4397,97 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:302
+#: sssd-krb5.5.xml:305
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:308
+#: sssd-krb5.5.xml:311
 msgid "krb5_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:311
+#: sssd-krb5.5.xml:314
 msgid ""
 "Request ticket with a with a lifetime given by an integer immediately "
 "followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:332
+#: sssd-krb5.5.xml:335
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "lifetime to one and a half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:337
+#: sssd-krb5.5.xml:340
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:344
+#: sssd-krb5.5.xml:347
 msgid "krb5_renew_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:347
+#: sssd-krb5.5.xml:350
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:352
+#: sssd-krb5.5.xml:355
 msgid "If this option is not set or 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:362
+#: sssd-krb5.5.xml:365
 msgid "krb5_use_fast (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:365
+#: sssd-krb5.5.xml:368
 msgid ""
 "Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
 "authentication. The following options are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:370
+#: sssd-krb5.5.xml:373
 msgid ""
 "<emphasis>never</emphasis> use FAST, this is equivalent to not set this "
 "option at all."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:374
+#: sssd-krb5.5.xml:377
 msgid ""
 "<emphasis>try</emphasis> to use FAST, if the server does not support fast "
 "continue without."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:378
+#: sssd-krb5.5.xml:381
 msgid ""
 "<emphasis>demand</emphasis> to use FAST, fail if the server does not require "
 "fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:382
+#: sssd-krb5.5.xml:385
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:385
+#: sssd-krb5.5.xml:388
 msgid "Please note that a keytab is required to use fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:388
+#: sssd-krb5.5.xml:391
 msgid ""
 "Please note also that sssd supports fast only with MIT Kerberos version 1.8 "
 "and above. If sssd used used with an older version using this option is a "
@@ -4460,7 +4505,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:407
+#: sssd-krb5.5.xml:410
 msgid ""
 "The following example assumes that SSSD is correctly configured and FOO is "
 "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
@@ -4469,7 +4514,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-krb5.5.xml:415
+#: sssd-krb5.5.xml:418
 #, no-wrap
 msgid ""
 "    [domain/FOO]\n"
@@ -4479,7 +4524,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:426
+#: sssd-krb5.5.xml:429
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
diff --git a/src/man/po/sk.po b/src/man/po/sk.po
index 65d40e95..add9fb6e 100644
--- a/src/man/po/sk.po
+++ b/src/man/po/sk.po
@@ -6,7 +6,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: SSSD\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2011-08-29 10:42-0300\n"
+"POT-Creation-Date: 2011-10-18 13:34-0300\n"
 "PO-Revision-Date: 2011-08-05 11:40+0000\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Slovak (http://www.transifex.net/projects/p/fedora/team/sk/)\n"
@@ -52,7 +52,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:41
+#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:44
 #: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21
 #: sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_useradd.8.xml:30
 #: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30
@@ -68,7 +68,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:39 pam_sss.8.xml:48 sssd.8.xml:42 sss_obfuscate.8.xml:58
+#: sss_groupmod.8.xml:39 pam_sss.8.xml:51 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
 msgid "OPTIONS"
@@ -104,10 +104,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1106 sssd-ldap.5.xml:1432
-#: pam_sss.8.xml:128 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
+#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1130 sssd-ldap.5.xml:1432
+#: pam_sss.8.xml:139 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
 #: sssd-ipa.5.xml:248 sssd.8.xml:166 sss_obfuscate.8.xml:103
-#: sss_useradd.8.xml:167 sssd-krb5.5.xml:424 sss_groupadd.8.xml:58
+#: sss_useradd.8.xml:167 sssd-krb5.5.xml:427 sss_groupadd.8.xml:58
 #: sss_userdel.8.xml:93 sss_groupdel.8.xml:46 sss_groupshow.8.xml:58
 #: sss_usermod.8.xml:138
 msgid "SEE ALSO"
@@ -213,7 +213,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:70 sssd.conf.5.xml:952
+#: sssd.conf.5.xml:70 sssd.conf.5.xml:976
 msgid "Section parameters"
 msgstr ""
 
@@ -246,19 +246,19 @@ msgid "Supported services: nss, pam"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:93 sssd.conf.5.xml:234
+#: sssd.conf.5.xml:93 sssd.conf.5.xml:254
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:96 sssd.conf.5.xml:237
+#: sssd.conf.5.xml:96 sssd.conf.5.xml:257
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:101 sssd.conf.5.xml:242
+#: sssd.conf.5.xml:101 sssd.conf.5.xml:262
 msgid "Default: 3"
 msgstr ""
 
@@ -365,6 +365,32 @@ msgid ""
 "unavailable. On these platforms, polling will always be used."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:189
+msgid "krb5_rcache_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:192
+msgid ""
+"Directory on the filesystem where SSSD should store Kerberos replay cache "
+"files."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:196
+msgid ""
+"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
+"SSSD to let libkrb5 decide the appropriate location for the replay cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:202
+msgid ""
+"Default: Distribution-specific and specified at build-time. "
+"(__LIBKRB5_DEFAULTS__ if not configured)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:63
 msgid ""
@@ -377,12 +403,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:195
+#: sssd.conf.5.xml:215
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:197
+#: sssd.conf.5.xml:217
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -391,55 +417,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:204
+#: sssd.conf.5.xml:224
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:206
+#: sssd.conf.5.xml:226
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:210
+#: sssd.conf.5.xml:230
 msgid "debug_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:213
+#: sssd.conf.5.xml:233
 msgid ""
 "Sets the debug level for the service. The value can be in range from 0 (only "
 "critical messages) to 10 (very verbose)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:218 sssd.conf.5.xml:312
+#: sssd.conf.5.xml:238 sssd.conf.5.xml:332
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:223 sssd.8.xml:58
+#: sssd.conf.5.xml:243 sssd.8.xml:58
 msgid "debug_timestamps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:226 sssd.8.xml:61
+#: sssd.conf.5.xml:246 sssd.8.xml:61
 msgid "Add a timestamp to the debug messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:229 sssd.conf.5.xml:353 sssd-ldap.5.xml:1058
+#: sssd.conf.5.xml:249 sssd.conf.5.xml:373 sssd-ldap.5.xml:1058
 #: sssd-ldap.5.xml:1163 sssd-ipa.5.xml:155
 msgid "Default: true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:247
+#: sssd.conf.5.xml:267
 msgid "command (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:250
+#: sssd.conf.5.xml:270
 msgid ""
 "By default, the executable representing this service is called <command>sssd_"
 "${service_name}</command>.  This directive allows to change the executable "
@@ -448,45 +474,45 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:258
+#: sssd.conf.5.xml:278
 msgid "Default: <command>sssd_${service_name}</command>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:266
+#: sssd.conf.5.xml:286
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:268
+#: sssd.conf.5.xml:288
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:273
+#: sssd.conf.5.xml:293
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:276
+#: sssd.conf.5.xml:296
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:280
+#: sssd.conf.5.xml:300
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:285
+#: sssd.conf.5.xml:305
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:288
+#: sssd.conf.5.xml:308
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -494,7 +520,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:294
+#: sssd.conf.5.xml:314
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -504,7 +530,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304
+#: sssd.conf.5.xml:324
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -513,12 +539,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:317
+#: sssd.conf.5.xml:337
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:320
+#: sssd.conf.5.xml:340
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -526,17 +552,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:326 sssd-krb5.5.xml:223
+#: sssd.conf.5.xml:346 sssd-krb5.5.xml:223
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:331
+#: sssd.conf.5.xml:351
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:334
+#: sssd.conf.5.xml:354
 msgid ""
 "Exclude certain users from being fetched from the sss NSS database. This is "
 "particularly useful for system accounts. This option can also be set per-"
@@ -545,78 +571,78 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:341
+#: sssd.conf.5.xml:361
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:346
+#: sssd.conf.5.xml:366
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:369
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:358
+#: sssd.conf.5.xml:378
 msgid "override_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:367 sssd-krb5.5.xml:166
+#: sssd.conf.5.xml:387 sssd-krb5.5.xml:166
 msgid "%u"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:368 sssd-krb5.5.xml:167
+#: sssd.conf.5.xml:388 sssd-krb5.5.xml:167
 msgid "login name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:371 sssd-krb5.5.xml:170
+#: sssd.conf.5.xml:391 sssd-krb5.5.xml:170
 msgid "%U"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:392
 msgid "UID number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:375 sssd-krb5.5.xml:188
+#: sssd.conf.5.xml:395 sssd-krb5.5.xml:188
 msgid "%d"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:376
+#: sssd.conf.5.xml:396
 msgid "domain name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:379
+#: sssd.conf.5.xml:399
 msgid "%f"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:380
+#: sssd.conf.5.xml:400
 msgid "fully qualified user name (user@domain)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:383 sssd-krb5.5.xml:200
+#: sssd.conf.5.xml:403 sssd-krb5.5.xml:200
 msgid "%%"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:384 sssd-krb5.5.xml:201
+#: sssd.conf.5.xml:404 sssd-krb5.5.xml:201
 msgid "a literal '%'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:361
+#: sssd.conf.5.xml:381
 msgid ""
 "Override the user's home directory. You can either provide an absolute value "
 "or a template. In the template, the following sequences are substituted: "
@@ -624,138 +650,138 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:390
+#: sssd.conf.5.xml:410
 msgid "This option can also be set per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:395
+#: sssd.conf.5.xml:415
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:398
+#: sssd.conf.5.xml:418
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:401
+#: sssd.conf.5.xml:421
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:405
+#: sssd.conf.5.xml:425
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:410
+#: sssd.conf.5.xml:430
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:415
+#: sssd.conf.5.xml:435
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:418
+#: sssd.conf.5.xml:438
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:422
+#: sssd.conf.5.xml:442
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:427
+#: sssd.conf.5.xml:447
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:430
+#: sssd.conf.5.xml:450
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:435
+#: sssd.conf.5.xml:455
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:438
+#: sssd.conf.5.xml:458
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:442
+#: sssd.conf.5.xml:462
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:469
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:451
+#: sssd.conf.5.xml:471
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:456
+#: sssd.conf.5.xml:476
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:459
+#: sssd.conf.5.xml:479
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:464 sssd.conf.5.xml:477
+#: sssd.conf.5.xml:484 sssd.conf.5.xml:497
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:490
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:473
+#: sssd.conf.5.xml:493
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:483
+#: sssd.conf.5.xml:503
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:506
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:491
+#: sssd.conf.5.xml:511
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -763,59 +789,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:497 sssd.conf.5.xml:550 sssd.conf.5.xml:882
+#: sssd.conf.5.xml:517 sssd.conf.5.xml:570 sssd.conf.5.xml:906
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:523
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:506
+#: sssd.conf.5.xml:526
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:511
+#: sssd.conf.5.xml:531
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:514
+#: sssd.conf.5.xml:534
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:517
+#: sssd.conf.5.xml:537
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:541
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:524
+#: sssd.conf.5.xml:544
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:528
+#: sssd.conf.5.xml:548
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:533
+#: sssd.conf.5.xml:553
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:536
+#: sssd.conf.5.xml:556
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -823,7 +849,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:542
+#: sssd.conf.5.xml:562
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -832,17 +858,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:556
+#: sssd.conf.5.xml:576
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:559
+#: sssd.conf.5.xml:579
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:562
+#: sssd.conf.5.xml:582
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -850,29 +876,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:588
 msgid "Default: 7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:577
+#: sssd.conf.5.xml:597
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:584
+#: sssd.conf.5.xml:604
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:587
+#: sssd.conf.5.xml:607
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:592
+#: sssd.conf.5.xml:612
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -881,56 +907,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:599
+#: sssd.conf.5.xml:619
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:625
 msgid "timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:608
+#: sssd.conf.5.xml:628
 msgid ""
 "Timeout in seconds between heartbeats for this domain.  This is used to "
 "ensure that the backend process is alive and capable of answering requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:633
 msgid "Default: 10"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:639
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:642
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:626
+#: sssd.conf.5.xml:646
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:629
+#: sssd.conf.5.xml:649
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:632 sssd.conf.5.xml:680 sssd.conf.5.xml:734
+#: sssd.conf.5.xml:652 sssd.conf.5.xml:704 sssd.conf.5.xml:758
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:635
+#: sssd.conf.5.xml:655
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -940,14 +966,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:645
+#: sssd.conf.5.xml:665
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:650
+#: sssd.conf.5.xml:670
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -956,39 +982,44 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:661
+#: sssd.conf.5.xml:681
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:664
+#: sssd.conf.5.xml:684
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:688
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:693
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676
+#: sssd.conf.5.xml:696
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:700
+msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:685
+#: sssd.conf.5.xml:709
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:688
+#: sssd.conf.5.xml:712
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -997,47 +1028,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:695
+#: sssd.conf.5.xml:719
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:725
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:728
 msgid "The Data Provider identity backend to use for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:708
+#: sssd.conf.5.xml:732
 msgid "Supported backends:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:711
+#: sssd.conf.5.xml:735
 msgid "proxy: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:714
+#: sssd.conf.5.xml:738
 msgid "local: SSSD internal local provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:717
+#: sssd.conf.5.xml:741
 msgid "ldap: LDAP provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:747
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:750
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -1046,19 +1077,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:739
+#: sssd.conf.5.xml:763
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:766
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:746
+#: sssd.conf.5.xml:770
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1066,7 +1097,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:777
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1074,30 +1105,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:784
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:787
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:766
+#: sssd.conf.5.xml:790
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:796
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:775
+#: sssd.conf.5.xml:799
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -1105,17 +1136,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:781
+#: sssd.conf.5.xml:805
 msgid "<quote>permit</quote> always allow access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:784
+#: sssd.conf.5.xml:808
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:811
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -1124,24 +1155,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:818
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:823
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:826
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:831
 msgid ""
 "<quote>ipa</quote> to change a password stored in an IPA server.  See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -1149,7 +1180,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:815
+#: sssd.conf.5.xml:839
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -1157,7 +1188,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:823
+#: sssd.conf.5.xml:847
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1165,72 +1196,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:831
+#: sssd.conf.5.xml:855
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:835
+#: sssd.conf.5.xml:859
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838
+#: sssd.conf.5.xml:862
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:845
+#: sssd.conf.5.xml:869
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:848
+#: sssd.conf.5.xml:872
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:876
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:855
+#: sssd.conf.5.xml:879
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:858
+#: sssd.conf.5.xml:882
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:861
+#: sssd.conf.5.xml:885
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:864
+#: sssd.conf.5.xml:888
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:867
+#: sssd.conf.5.xml:891
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:873
+#: sssd.conf.5.xml:897
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:876
+#: sssd.conf.5.xml:900
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -1238,34 +1269,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:912
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:891
+#: sssd.conf.5.xml:915
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:919
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:901
+#: sssd.conf.5.xml:925
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:904
+#: sssd.conf.5.xml:928
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:579
+#: sssd.conf.5.xml:599
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -1273,29 +1304,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:940
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:943
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:922
+#: sssd.conf.5.xml:946
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:954
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:933
+#: sssd.conf.5.xml:957
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -1303,19 +1334,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:912
+#: sssd.conf.5.xml:936
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:945
+#: sssd.conf.5.xml:969
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:971
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -1323,73 +1354,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:954
+#: sssd.conf.5.xml:978
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:981
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:985
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:966
+#: sssd.conf.5.xml:990
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:969
+#: sssd.conf.5.xml:993
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974
+#: sssd.conf.5.xml:998
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1003
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1006
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986 sssd.conf.5.xml:998
+#: sssd.conf.5.xml:1010 sssd.conf.5.xml:1022
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:991
+#: sssd.conf.5.xml:1015
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:994
+#: sssd.conf.5.xml:1018
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1003
+#: sssd.conf.5.xml:1027
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1030
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -1397,17 +1428,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014
+#: sssd.conf.5.xml:1038
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1043
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1022
+#: sssd.conf.5.xml:1046
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -1416,17 +1447,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:1056
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1037
+#: sssd.conf.5.xml:1061
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1040
+#: sssd.conf.5.xml:1064
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -1434,17 +1465,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1047
+#: sssd.conf.5.xml:1071
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1076
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1055
+#: sssd.conf.5.xml:1079
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -1452,18 +1483,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1061
+#: sssd.conf.5.xml:1085
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1071 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
-#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:405
+#: sssd.conf.5.xml:1095 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
+#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:408
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:1077
+#: sssd.conf.5.xml:1101
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -1493,7 +1524,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1073
+#: sssd.conf.5.xml:1097
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -1502,7 +1533,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1108
+#: sssd.conf.5.xml:1132
 msgid ""
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
@@ -1602,10 +1633,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:88
 msgid ""
-"Specifies the list of URIs of the LDAP servers to which SSSD should connect "
-"in the order of preference to change the password of a user. Refer to the "
-"<quote>FAILOVER</quote> section for more information on failover and server "
-"redundancy."
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference to change the password of a user. "
+"Refer to the <quote>FAILOVER</quote> section for more information on "
+"failover and server redundancy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -2085,7 +2116,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:519 sssd-ldap.5.xml:990 sssd-ipa.5.xml:115 sssd.8.xml:64
-#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:266
+#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:269
 msgid "Default: false"
 msgstr ""
 
@@ -2526,7 +2557,7 @@ msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:356
+#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:359
 msgid "Default: not set"
 msgstr ""
 
@@ -2667,12 +2698,13 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:1080 sssd-krb5.5.xml:77
 msgid ""
-"Specifies the list of IP addresses or hostnames of the Kerberos servers to "
-"which SSSD should connect in the order of preference. For more information "
-"on failover and server redundancy, see the <quote>FAILOVER</quote> section. "
-"An optional port number (preceded by a colon) may be appended to the "
-"addresses or hostnames.  If empty, service discovery is enabled - for more "
-"information, refer to the <quote>SERVICE DISCOVERY</quote> section."
+"Specifies the comma-separated list of IP addresses or hostnames of the "
+"Kerberos servers to which SSSD should connect in the order of preference. "
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
+"colon) may be appended to the addresses or hostnames.  If empty, service "
+"discovery is enabled - for more information, refer to the <quote>SERVICE "
+"DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -3057,7 +3089,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ldap.5.xml:1407 sssd-simple.5.xml:134 sssd-ipa.5.xml:238
-#: sssd-krb5.5.xml:414
+#: sssd-krb5.5.xml:417
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -3104,7 +3136,8 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
 #: pam_sss.8.xml:24
 msgid ""
-"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>forward_pass</"
+"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
@@ -3112,7 +3145,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:42
+#: pam_sss.8.xml:45
 msgid ""
 "<command>pam_sss.so</command> is the PAM interface to the System Security "
 "Services daemon (SSSD). Errors and results are logged through <command>syslog"
@@ -3120,24 +3153,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:52
+#: pam_sss.8.xml:55
+msgid "<option>quiet</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:58
+msgid "Suppress log messages for unknown users."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:63
 msgid "<option>forward_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:55
+#: pam_sss.8.xml:66
 msgid ""
 "If <option>forward_pass</option> is set the entered password is put on the "
 "stack for other PAM modules to use."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:62
+#: pam_sss.8.xml:73
 msgid "<option>use_first_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:65
+#: pam_sss.8.xml:76
 msgid ""
 "The argument use_first_pass forces the module to use a previous stacked "
 "modules password and will never prompt the user - if no password is "
@@ -3145,31 +3188,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:73
+#: pam_sss.8.xml:84
 msgid "<option>use_authtok</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:76
+#: pam_sss.8.xml:87
 msgid ""
 "When password changing enforce the module to set the new password to the one "
 "provided by a previously stacked password module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:83
+#: pam_sss.8.xml:94
 msgid "<option>retry=N</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:86
+#: pam_sss.8.xml:97
 msgid ""
 "If specified the user is asked another N times for a password if "
 "authentication fails. Default is 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:88
+#: pam_sss.8.xml:99
 msgid ""
 "Please note that this option might not work as expected if the application "
 "calling PAM handles the user dialog on its own. A typical example is "
@@ -3177,24 +3220,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:99
+#: pam_sss.8.xml:110
 msgid "MODULE TYPES PROVIDED"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:100
+#: pam_sss.8.xml:111
 msgid ""
 "All module types (<option>account</option>, <option>auth</option>, "
 "<option>password</option> and <option>session</option>) are provided."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:106
+#: pam_sss.8.xml:117
 msgid "FILES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:107
+#: pam_sss.8.xml:118
 msgid ""
 "If a password reset by root fails, because the corresponding SSSD provider "
 "does not support password resets, an individual message can be displayed. "
@@ -3202,7 +3245,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:112
+#: pam_sss.8.xml:123
 msgid ""
 "The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
 "filename> where LOC stands for a locale string returned by <citerefentry> "
@@ -3214,7 +3257,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:122
+#: pam_sss.8.xml:133
 msgid ""
 "These files are searched in the directory <filename>/etc/sssd/customize/"
 "DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
@@ -3222,7 +3265,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:130
+#: pam_sss.8.xml:141
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>8</"
 "manvolnum> </citerefentry>"
@@ -3482,11 +3525,11 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ipa.5.xml:83
 msgid ""
-"The list of IP addresses or hostnames of the IPA servers to which SSSD "
-"should connect in the order of preference. For more information on failover "
-"and server redundancy, see the <quote>FAILOVER</quote> section.  This is "
-"optional if autodiscovery is enabled.  For more information on service "
-"discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
+"The comma-separated list of IP addresses or hostnames of the IPA servers to "
+"which SSSD should connect in the order of preference. For more information "
+"on failover and server redundancy, see the <quote>FAILOVER</quote> section.  "
+"This is optional if autodiscovery is enabled.  For more information on "
+"service discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
@@ -4302,48 +4345,50 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:262
 msgid ""
-"Please note that this feature currently only available on a Linux platform."
+"Please note that this feature currently only available on a Linux platform. "
+"Passwords stored in this way are kept in plaintext in the kernel keyring and "
+"are potentially accessible by the root user (with difficulty)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:272
+#: sssd-krb5.5.xml:275
 msgid "krb5_renewable_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:275
+#: sssd-krb5.5.xml:278
 msgid ""
 "Request a renewable ticket with a total lifetime given by an integer "
 "immediately followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:280 sssd-krb5.5.xml:316
+#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
 msgid "<emphasis>s</emphasis> seconds"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
+#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
 msgid "<emphasis>m</emphasis> minutes"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
+#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
 msgid "<emphasis>h</emphasis> hours"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
+#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
 msgid "<emphasis>d</emphasis> days."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
+#: sssd-krb5.5.xml:295 sssd-krb5.5.xml:331
 msgid "If there is no delimiter <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:296
+#: sssd-krb5.5.xml:299
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "renewable lifetime to one and a half hours please use '90m' instead of "
@@ -4351,97 +4396,97 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:302
+#: sssd-krb5.5.xml:305
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:308
+#: sssd-krb5.5.xml:311
 msgid "krb5_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:311
+#: sssd-krb5.5.xml:314
 msgid ""
 "Request ticket with a with a lifetime given by an integer immediately "
 "followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:332
+#: sssd-krb5.5.xml:335
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "lifetime to one and a half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:337
+#: sssd-krb5.5.xml:340
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:344
+#: sssd-krb5.5.xml:347
 msgid "krb5_renew_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:347
+#: sssd-krb5.5.xml:350
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:352
+#: sssd-krb5.5.xml:355
 msgid "If this option is not set or 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:362
+#: sssd-krb5.5.xml:365
 msgid "krb5_use_fast (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:365
+#: sssd-krb5.5.xml:368
 msgid ""
 "Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
 "authentication. The following options are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:370
+#: sssd-krb5.5.xml:373
 msgid ""
 "<emphasis>never</emphasis> use FAST, this is equivalent to not set this "
 "option at all."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:374
+#: sssd-krb5.5.xml:377
 msgid ""
 "<emphasis>try</emphasis> to use FAST, if the server does not support fast "
 "continue without."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:378
+#: sssd-krb5.5.xml:381
 msgid ""
 "<emphasis>demand</emphasis> to use FAST, fail if the server does not require "
 "fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:382
+#: sssd-krb5.5.xml:385
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:385
+#: sssd-krb5.5.xml:388
 msgid "Please note that a keytab is required to use fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:388
+#: sssd-krb5.5.xml:391
 msgid ""
 "Please note also that sssd supports fast only with MIT Kerberos version 1.8 "
 "and above. If sssd used used with an older version using this option is a "
@@ -4459,7 +4504,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:407
+#: sssd-krb5.5.xml:410
 msgid ""
 "The following example assumes that SSSD is correctly configured and FOO is "
 "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
@@ -4468,7 +4513,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-krb5.5.xml:415
+#: sssd-krb5.5.xml:418
 #, no-wrap
 msgid ""
 "    [domain/FOO]\n"
@@ -4478,7 +4523,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:426
+#: sssd-krb5.5.xml:429
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
diff --git a/src/man/po/sl.po b/src/man/po/sl.po
index d1d17b04..b23c6a42 100644
--- a/src/man/po/sl.po
+++ b/src/man/po/sl.po
@@ -2,12 +2,13 @@
 # Copyright (C) YEAR Red Hat
 # This file is distributed under the same license as the sssd-docs package.
 #
+# Translators:
 msgid ""
 msgstr ""
 "Project-Id-Version: SSSD\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2011-08-29 10:42-0300\n"
-"PO-Revision-Date: 2011-08-05 11:39+0000\n"
+"POT-Creation-Date: 2011-10-18 13:34-0300\n"
+"PO-Revision-Date: 2010-12-23 15:35+0000\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
 "Language: sl\n"
@@ -53,7 +54,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:41
+#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:44
 #: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21
 #: sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_useradd.8.xml:30
 #: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30
@@ -69,7 +70,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:39 pam_sss.8.xml:48 sssd.8.xml:42 sss_obfuscate.8.xml:58
+#: sss_groupmod.8.xml:39 pam_sss.8.xml:51 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
 msgid "OPTIONS"
@@ -105,10 +106,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1106 sssd-ldap.5.xml:1432
-#: pam_sss.8.xml:128 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
+#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1130 sssd-ldap.5.xml:1432
+#: pam_sss.8.xml:139 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
 #: sssd-ipa.5.xml:248 sssd.8.xml:166 sss_obfuscate.8.xml:103
-#: sss_useradd.8.xml:167 sssd-krb5.5.xml:424 sss_groupadd.8.xml:58
+#: sss_useradd.8.xml:167 sssd-krb5.5.xml:427 sss_groupadd.8.xml:58
 #: sss_userdel.8.xml:93 sss_groupdel.8.xml:46 sss_groupshow.8.xml:58
 #: sss_usermod.8.xml:138
 msgid "SEE ALSO"
@@ -214,7 +215,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:70 sssd.conf.5.xml:952
+#: sssd.conf.5.xml:70 sssd.conf.5.xml:976
 msgid "Section parameters"
 msgstr ""
 
@@ -247,19 +248,19 @@ msgid "Supported services: nss, pam"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:93 sssd.conf.5.xml:234
+#: sssd.conf.5.xml:93 sssd.conf.5.xml:254
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:96 sssd.conf.5.xml:237
+#: sssd.conf.5.xml:96 sssd.conf.5.xml:257
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:101 sssd.conf.5.xml:242
+#: sssd.conf.5.xml:101 sssd.conf.5.xml:262
 msgid "Default: 3"
 msgstr ""
 
@@ -366,6 +367,32 @@ msgid ""
 "unavailable. On these platforms, polling will always be used."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:189
+msgid "krb5_rcache_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:192
+msgid ""
+"Directory on the filesystem where SSSD should store Kerberos replay cache "
+"files."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:196
+msgid ""
+"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
+"SSSD to let libkrb5 decide the appropriate location for the replay cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:202
+msgid ""
+"Default: Distribution-specific and specified at build-time. "
+"(__LIBKRB5_DEFAULTS__ if not configured)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:63
 msgid ""
@@ -378,12 +405,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:195
+#: sssd.conf.5.xml:215
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:197
+#: sssd.conf.5.xml:217
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -392,55 +419,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:204
+#: sssd.conf.5.xml:224
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:206
+#: sssd.conf.5.xml:226
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:210
+#: sssd.conf.5.xml:230
 msgid "debug_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:213
+#: sssd.conf.5.xml:233
 msgid ""
 "Sets the debug level for the service. The value can be in range from 0 (only "
 "critical messages) to 10 (very verbose)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:218 sssd.conf.5.xml:312
+#: sssd.conf.5.xml:238 sssd.conf.5.xml:332
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:223 sssd.8.xml:58
+#: sssd.conf.5.xml:243 sssd.8.xml:58
 msgid "debug_timestamps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:226 sssd.8.xml:61
+#: sssd.conf.5.xml:246 sssd.8.xml:61
 msgid "Add a timestamp to the debug messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:229 sssd.conf.5.xml:353 sssd-ldap.5.xml:1058
+#: sssd.conf.5.xml:249 sssd.conf.5.xml:373 sssd-ldap.5.xml:1058
 #: sssd-ldap.5.xml:1163 sssd-ipa.5.xml:155
 msgid "Default: true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:247
+#: sssd.conf.5.xml:267
 msgid "command (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:250
+#: sssd.conf.5.xml:270
 msgid ""
 "By default, the executable representing this service is called <command>sssd_"
 "${service_name}</command>.  This directive allows to change the executable "
@@ -449,45 +476,45 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:258
+#: sssd.conf.5.xml:278
 msgid "Default: <command>sssd_${service_name}</command>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:266
+#: sssd.conf.5.xml:286
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:268
+#: sssd.conf.5.xml:288
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:273
+#: sssd.conf.5.xml:293
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:276
+#: sssd.conf.5.xml:296
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:280
+#: sssd.conf.5.xml:300
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:285
+#: sssd.conf.5.xml:305
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:288
+#: sssd.conf.5.xml:308
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -495,7 +522,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:294
+#: sssd.conf.5.xml:314
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -505,7 +532,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304
+#: sssd.conf.5.xml:324
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -514,12 +541,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:317
+#: sssd.conf.5.xml:337
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:320
+#: sssd.conf.5.xml:340
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -527,17 +554,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:326 sssd-krb5.5.xml:223
+#: sssd.conf.5.xml:346 sssd-krb5.5.xml:223
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:331
+#: sssd.conf.5.xml:351
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:334
+#: sssd.conf.5.xml:354
 msgid ""
 "Exclude certain users from being fetched from the sss NSS database. This is "
 "particularly useful for system accounts. This option can also be set per-"
@@ -546,78 +573,78 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:341
+#: sssd.conf.5.xml:361
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:346
+#: sssd.conf.5.xml:366
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:369
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:358
+#: sssd.conf.5.xml:378
 msgid "override_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:367 sssd-krb5.5.xml:166
+#: sssd.conf.5.xml:387 sssd-krb5.5.xml:166
 msgid "%u"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:368 sssd-krb5.5.xml:167
+#: sssd.conf.5.xml:388 sssd-krb5.5.xml:167
 msgid "login name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:371 sssd-krb5.5.xml:170
+#: sssd.conf.5.xml:391 sssd-krb5.5.xml:170
 msgid "%U"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:392
 msgid "UID number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:375 sssd-krb5.5.xml:188
+#: sssd.conf.5.xml:395 sssd-krb5.5.xml:188
 msgid "%d"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:376
+#: sssd.conf.5.xml:396
 msgid "domain name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:379
+#: sssd.conf.5.xml:399
 msgid "%f"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:380
+#: sssd.conf.5.xml:400
 msgid "fully qualified user name (user@domain)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:383 sssd-krb5.5.xml:200
+#: sssd.conf.5.xml:403 sssd-krb5.5.xml:200
 msgid "%%"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:384 sssd-krb5.5.xml:201
+#: sssd.conf.5.xml:404 sssd-krb5.5.xml:201
 msgid "a literal '%'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:361
+#: sssd.conf.5.xml:381
 msgid ""
 "Override the user's home directory. You can either provide an absolute value "
 "or a template. In the template, the following sequences are substituted: "
@@ -625,138 +652,138 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:390
+#: sssd.conf.5.xml:410
 msgid "This option can also be set per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:395
+#: sssd.conf.5.xml:415
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:398
+#: sssd.conf.5.xml:418
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:401
+#: sssd.conf.5.xml:421
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:405
+#: sssd.conf.5.xml:425
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:410
+#: sssd.conf.5.xml:430
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:415
+#: sssd.conf.5.xml:435
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:418
+#: sssd.conf.5.xml:438
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:422
+#: sssd.conf.5.xml:442
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:427
+#: sssd.conf.5.xml:447
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:430
+#: sssd.conf.5.xml:450
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:435
+#: sssd.conf.5.xml:455
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:438
+#: sssd.conf.5.xml:458
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:442
+#: sssd.conf.5.xml:462
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:469
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:451
+#: sssd.conf.5.xml:471
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:456
+#: sssd.conf.5.xml:476
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:459
+#: sssd.conf.5.xml:479
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:464 sssd.conf.5.xml:477
+#: sssd.conf.5.xml:484 sssd.conf.5.xml:497
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:490
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:473
+#: sssd.conf.5.xml:493
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:483
+#: sssd.conf.5.xml:503
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:506
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:491
+#: sssd.conf.5.xml:511
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -764,59 +791,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:497 sssd.conf.5.xml:550 sssd.conf.5.xml:882
+#: sssd.conf.5.xml:517 sssd.conf.5.xml:570 sssd.conf.5.xml:906
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:523
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:506
+#: sssd.conf.5.xml:526
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:511
+#: sssd.conf.5.xml:531
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:514
+#: sssd.conf.5.xml:534
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:517
+#: sssd.conf.5.xml:537
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:541
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:524
+#: sssd.conf.5.xml:544
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:528
+#: sssd.conf.5.xml:548
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:533
+#: sssd.conf.5.xml:553
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:536
+#: sssd.conf.5.xml:556
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -824,7 +851,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:542
+#: sssd.conf.5.xml:562
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -833,17 +860,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:556
+#: sssd.conf.5.xml:576
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:559
+#: sssd.conf.5.xml:579
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:562
+#: sssd.conf.5.xml:582
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -851,29 +878,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:588
 msgid "Default: 7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:577
+#: sssd.conf.5.xml:597
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:584
+#: sssd.conf.5.xml:604
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:587
+#: sssd.conf.5.xml:607
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:592
+#: sssd.conf.5.xml:612
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -882,56 +909,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:599
+#: sssd.conf.5.xml:619
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:625
 msgid "timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:608
+#: sssd.conf.5.xml:628
 msgid ""
 "Timeout in seconds between heartbeats for this domain.  This is used to "
 "ensure that the backend process is alive and capable of answering requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:633
 msgid "Default: 10"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:639
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:642
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:626
+#: sssd.conf.5.xml:646
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:629
+#: sssd.conf.5.xml:649
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:632 sssd.conf.5.xml:680 sssd.conf.5.xml:734
+#: sssd.conf.5.xml:652 sssd.conf.5.xml:704 sssd.conf.5.xml:758
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:635
+#: sssd.conf.5.xml:655
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -941,14 +968,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:645
+#: sssd.conf.5.xml:665
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:650
+#: sssd.conf.5.xml:670
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -957,39 +984,44 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:661
+#: sssd.conf.5.xml:681
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:664
+#: sssd.conf.5.xml:684
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:688
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:693
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676
+#: sssd.conf.5.xml:696
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:700
+msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:685
+#: sssd.conf.5.xml:709
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:688
+#: sssd.conf.5.xml:712
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -998,47 +1030,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:695
+#: sssd.conf.5.xml:719
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:725
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:728
 msgid "The Data Provider identity backend to use for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:708
+#: sssd.conf.5.xml:732
 msgid "Supported backends:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:711
+#: sssd.conf.5.xml:735
 msgid "proxy: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:714
+#: sssd.conf.5.xml:738
 msgid "local: SSSD internal local provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:717
+#: sssd.conf.5.xml:741
 msgid "ldap: LDAP provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:747
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:750
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -1047,19 +1079,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:739
+#: sssd.conf.5.xml:763
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:766
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:746
+#: sssd.conf.5.xml:770
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1067,7 +1099,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:777
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1075,30 +1107,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:784
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:787
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:766
+#: sssd.conf.5.xml:790
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:796
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:775
+#: sssd.conf.5.xml:799
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -1106,17 +1138,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:781
+#: sssd.conf.5.xml:805
 msgid "<quote>permit</quote> always allow access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:784
+#: sssd.conf.5.xml:808
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:811
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -1125,24 +1157,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:818
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:823
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:826
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:831
 msgid ""
 "<quote>ipa</quote> to change a password stored in an IPA server.  See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -1150,7 +1182,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:815
+#: sssd.conf.5.xml:839
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -1158,7 +1190,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:823
+#: sssd.conf.5.xml:847
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1166,72 +1198,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:831
+#: sssd.conf.5.xml:855
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:835
+#: sssd.conf.5.xml:859
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838
+#: sssd.conf.5.xml:862
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:845
+#: sssd.conf.5.xml:869
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:848
+#: sssd.conf.5.xml:872
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:876
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:855
+#: sssd.conf.5.xml:879
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:858
+#: sssd.conf.5.xml:882
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:861
+#: sssd.conf.5.xml:885
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:864
+#: sssd.conf.5.xml:888
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:867
+#: sssd.conf.5.xml:891
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:873
+#: sssd.conf.5.xml:897
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:876
+#: sssd.conf.5.xml:900
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -1239,34 +1271,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:912
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:891
+#: sssd.conf.5.xml:915
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:919
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:901
+#: sssd.conf.5.xml:925
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:904
+#: sssd.conf.5.xml:928
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:579
+#: sssd.conf.5.xml:599
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -1274,29 +1306,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:940
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:943
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:922
+#: sssd.conf.5.xml:946
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:954
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:933
+#: sssd.conf.5.xml:957
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -1304,19 +1336,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:912
+#: sssd.conf.5.xml:936
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:945
+#: sssd.conf.5.xml:969
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:971
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -1324,73 +1356,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:954
+#: sssd.conf.5.xml:978
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:981
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:985
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:966
+#: sssd.conf.5.xml:990
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:969
+#: sssd.conf.5.xml:993
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974
+#: sssd.conf.5.xml:998
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1003
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1006
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986 sssd.conf.5.xml:998
+#: sssd.conf.5.xml:1010 sssd.conf.5.xml:1022
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:991
+#: sssd.conf.5.xml:1015
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:994
+#: sssd.conf.5.xml:1018
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1003
+#: sssd.conf.5.xml:1027
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1030
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -1398,17 +1430,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014
+#: sssd.conf.5.xml:1038
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1043
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1022
+#: sssd.conf.5.xml:1046
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -1417,17 +1449,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:1056
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1037
+#: sssd.conf.5.xml:1061
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1040
+#: sssd.conf.5.xml:1064
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -1435,17 +1467,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1047
+#: sssd.conf.5.xml:1071
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1076
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1055
+#: sssd.conf.5.xml:1079
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -1453,18 +1485,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1061
+#: sssd.conf.5.xml:1085
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1071 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
-#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:405
+#: sssd.conf.5.xml:1095 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
+#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:408
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:1077
+#: sssd.conf.5.xml:1101
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -1494,7 +1526,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1073
+#: sssd.conf.5.xml:1097
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -1503,7 +1535,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1108
+#: sssd.conf.5.xml:1132
 msgid ""
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
@@ -1603,10 +1635,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:88
 msgid ""
-"Specifies the list of URIs of the LDAP servers to which SSSD should connect "
-"in the order of preference to change the password of a user. Refer to the "
-"<quote>FAILOVER</quote> section for more information on failover and server "
-"redundancy."
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference to change the password of a user. "
+"Refer to the <quote>FAILOVER</quote> section for more information on "
+"failover and server redundancy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -2086,7 +2118,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:519 sssd-ldap.5.xml:990 sssd-ipa.5.xml:115 sssd.8.xml:64
-#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:266
+#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:269
 msgid "Default: false"
 msgstr ""
 
@@ -2527,7 +2559,7 @@ msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:356
+#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:359
 msgid "Default: not set"
 msgstr ""
 
@@ -2668,12 +2700,13 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:1080 sssd-krb5.5.xml:77
 msgid ""
-"Specifies the list of IP addresses or hostnames of the Kerberos servers to "
-"which SSSD should connect in the order of preference. For more information "
-"on failover and server redundancy, see the <quote>FAILOVER</quote> section. "
-"An optional port number (preceded by a colon) may be appended to the "
-"addresses or hostnames.  If empty, service discovery is enabled - for more "
-"information, refer to the <quote>SERVICE DISCOVERY</quote> section."
+"Specifies the comma-separated list of IP addresses or hostnames of the "
+"Kerberos servers to which SSSD should connect in the order of preference. "
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
+"colon) may be appended to the addresses or hostnames.  If empty, service "
+"discovery is enabled - for more information, refer to the <quote>SERVICE "
+"DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -3058,7 +3091,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ldap.5.xml:1407 sssd-simple.5.xml:134 sssd-ipa.5.xml:238
-#: sssd-krb5.5.xml:414
+#: sssd-krb5.5.xml:417
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -3105,7 +3138,8 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
 #: pam_sss.8.xml:24
 msgid ""
-"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>forward_pass</"
+"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
@@ -3113,7 +3147,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:42
+#: pam_sss.8.xml:45
 msgid ""
 "<command>pam_sss.so</command> is the PAM interface to the System Security "
 "Services daemon (SSSD). Errors and results are logged through <command>syslog"
@@ -3121,24 +3155,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:52
+#: pam_sss.8.xml:55
+msgid "<option>quiet</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:58
+msgid "Suppress log messages for unknown users."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:63
 msgid "<option>forward_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:55
+#: pam_sss.8.xml:66
 msgid ""
 "If <option>forward_pass</option> is set the entered password is put on the "
 "stack for other PAM modules to use."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:62
+#: pam_sss.8.xml:73
 msgid "<option>use_first_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:65
+#: pam_sss.8.xml:76
 msgid ""
 "The argument use_first_pass forces the module to use a previous stacked "
 "modules password and will never prompt the user - if no password is "
@@ -3146,31 +3190,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:73
+#: pam_sss.8.xml:84
 msgid "<option>use_authtok</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:76
+#: pam_sss.8.xml:87
 msgid ""
 "When password changing enforce the module to set the new password to the one "
 "provided by a previously stacked password module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:83
+#: pam_sss.8.xml:94
 msgid "<option>retry=N</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:86
+#: pam_sss.8.xml:97
 msgid ""
 "If specified the user is asked another N times for a password if "
 "authentication fails. Default is 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:88
+#: pam_sss.8.xml:99
 msgid ""
 "Please note that this option might not work as expected if the application "
 "calling PAM handles the user dialog on its own. A typical example is "
@@ -3178,24 +3222,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:99
+#: pam_sss.8.xml:110
 msgid "MODULE TYPES PROVIDED"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:100
+#: pam_sss.8.xml:111
 msgid ""
 "All module types (<option>account</option>, <option>auth</option>, "
 "<option>password</option> and <option>session</option>) are provided."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:106
+#: pam_sss.8.xml:117
 msgid "FILES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:107
+#: pam_sss.8.xml:118
 msgid ""
 "If a password reset by root fails, because the corresponding SSSD provider "
 "does not support password resets, an individual message can be displayed. "
@@ -3203,7 +3247,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:112
+#: pam_sss.8.xml:123
 msgid ""
 "The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
 "filename> where LOC stands for a locale string returned by <citerefentry> "
@@ -3215,7 +3259,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:122
+#: pam_sss.8.xml:133
 msgid ""
 "These files are searched in the directory <filename>/etc/sssd/customize/"
 "DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
@@ -3223,7 +3267,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:130
+#: pam_sss.8.xml:141
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>8</"
 "manvolnum> </citerefentry>"
@@ -3483,11 +3527,11 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ipa.5.xml:83
 msgid ""
-"The list of IP addresses or hostnames of the IPA servers to which SSSD "
-"should connect in the order of preference. For more information on failover "
-"and server redundancy, see the <quote>FAILOVER</quote> section.  This is "
-"optional if autodiscovery is enabled.  For more information on service "
-"discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
+"The comma-separated list of IP addresses or hostnames of the IPA servers to "
+"which SSSD should connect in the order of preference. For more information "
+"on failover and server redundancy, see the <quote>FAILOVER</quote> section.  "
+"This is optional if autodiscovery is enabled.  For more information on "
+"service discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
@@ -4303,48 +4347,50 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:262
 msgid ""
-"Please note that this feature currently only available on a Linux platform."
+"Please note that this feature currently only available on a Linux platform. "
+"Passwords stored in this way are kept in plaintext in the kernel keyring and "
+"are potentially accessible by the root user (with difficulty)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:272
+#: sssd-krb5.5.xml:275
 msgid "krb5_renewable_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:275
+#: sssd-krb5.5.xml:278
 msgid ""
 "Request a renewable ticket with a total lifetime given by an integer "
 "immediately followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:280 sssd-krb5.5.xml:316
+#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
 msgid "<emphasis>s</emphasis> seconds"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
+#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
 msgid "<emphasis>m</emphasis> minutes"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
+#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
 msgid "<emphasis>h</emphasis> hours"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
+#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
 msgid "<emphasis>d</emphasis> days."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
+#: sssd-krb5.5.xml:295 sssd-krb5.5.xml:331
 msgid "If there is no delimiter <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:296
+#: sssd-krb5.5.xml:299
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "renewable lifetime to one and a half hours please use '90m' instead of "
@@ -4352,97 +4398,97 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:302
+#: sssd-krb5.5.xml:305
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:308
+#: sssd-krb5.5.xml:311
 msgid "krb5_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:311
+#: sssd-krb5.5.xml:314
 msgid ""
 "Request ticket with a with a lifetime given by an integer immediately "
 "followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:332
+#: sssd-krb5.5.xml:335
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "lifetime to one and a half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:337
+#: sssd-krb5.5.xml:340
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:344
+#: sssd-krb5.5.xml:347
 msgid "krb5_renew_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:347
+#: sssd-krb5.5.xml:350
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:352
+#: sssd-krb5.5.xml:355
 msgid "If this option is not set or 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:362
+#: sssd-krb5.5.xml:365
 msgid "krb5_use_fast (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:365
+#: sssd-krb5.5.xml:368
 msgid ""
 "Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
 "authentication. The following options are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:370
+#: sssd-krb5.5.xml:373
 msgid ""
 "<emphasis>never</emphasis> use FAST, this is equivalent to not set this "
 "option at all."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:374
+#: sssd-krb5.5.xml:377
 msgid ""
 "<emphasis>try</emphasis> to use FAST, if the server does not support fast "
 "continue without."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:378
+#: sssd-krb5.5.xml:381
 msgid ""
 "<emphasis>demand</emphasis> to use FAST, fail if the server does not require "
 "fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:382
+#: sssd-krb5.5.xml:385
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:385
+#: sssd-krb5.5.xml:388
 msgid "Please note that a keytab is required to use fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:388
+#: sssd-krb5.5.xml:391
 msgid ""
 "Please note also that sssd supports fast only with MIT Kerberos version 1.8 "
 "and above. If sssd used used with an older version using this option is a "
@@ -4460,7 +4506,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:407
+#: sssd-krb5.5.xml:410
 msgid ""
 "The following example assumes that SSSD is correctly configured and FOO is "
 "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
@@ -4469,7 +4515,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-krb5.5.xml:415
+#: sssd-krb5.5.xml:418
 #, no-wrap
 msgid ""
 "    [domain/FOO]\n"
@@ -4479,7 +4525,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:426
+#: sssd-krb5.5.xml:429
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
diff --git a/src/man/po/sq.po b/src/man/po/sq.po
new file mode 100644
index 00000000..995fd776
--- /dev/null
+++ b/src/man/po/sq.po
@@ -0,0 +1,4992 @@
+# SOME DESCRIPTIVE TITLE
+# Copyright (C) YEAR Red Hat
+# This file is distributed under the same license as the sssd-docs package.
+#
+# Translators:
+msgid ""
+msgstr ""
+"Project-Id-Version: SSSD\n"
+"Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
+"POT-Creation-Date: 2011-10-18 13:34-0300\n"
+"PO-Revision-Date: 2010-12-23 15:35+0000\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: Albanian (http://www.transifex.net/projects/p/fedora/team/"
+"sq/)\n"
+"Language: sq\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"Plural-Forms: nplurals=2; plural=(n != 1)\n"
+
+#. type: Content of: <reference><title>
+#: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5
+#: sssd_krb5_locator_plugin.8.xml:5 sssd-simple.5.xml:5 sssd-ipa.5.xml:5
+#: sssd.8.xml:5 sss_obfuscate.8.xml:5 sss_useradd.8.xml:5 sssd-krb5.5.xml:5
+#: sss_groupadd.8.xml:5 sss_userdel.8.xml:5 sss_groupdel.8.xml:5
+#: sss_groupshow.8.xml:5 sss_usermod.8.xml:5
+msgid "SSSD Manual pages"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sss_groupmod.8.xml:10 sss_groupmod.8.xml:15
+msgid "sss_groupmod"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refmeta><manvolnum>
+#: sss_groupmod.8.xml:11 pam_sss.8.xml:14 sssd_krb5_locator_plugin.8.xml:11
+#: sssd.8.xml:11 sss_obfuscate.8.xml:11 sss_useradd.8.xml:11
+#: sss_groupadd.8.xml:11 sss_userdel.8.xml:11 sss_groupdel.8.xml:11
+#: sss_groupshow.8.xml:11 sss_usermod.8.xml:11
+msgid "8"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sss_groupmod.8.xml:16
+msgid "modify a group"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: sss_groupmod.8.xml:21
+msgid ""
+"<command>sss_groupmod</command> <arg choice='opt'> <replaceable>options</"
+"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></"
+"arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:44
+#: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21
+#: sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_useradd.8.xml:30
+#: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30
+#: sss_groupdel.8.xml:30 sss_groupshow.8.xml:30 sss_usermod.8.xml:30
+msgid "DESCRIPTION"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_groupmod.8.xml:32
+msgid ""
+"<command>sss_groupmod</command> modifies the group to reflect the changes "
+"that are specified on the command line."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sss_groupmod.8.xml:39 pam_sss.8.xml:51 sssd.8.xml:42 sss_obfuscate.8.xml:58
+#: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
+#: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
+msgid "OPTIONS"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_groupmod.8.xml:43 sss_usermod.8.xml:77
+msgid ""
+"<option>-a</option>,<option>--append-group</option> <replaceable>GROUPS</"
+"replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_groupmod.8.xml:48
+msgid ""
+"Append this group to groups specified by the <replaceable>GROUPS</"
+"replaceable> parameter.  The <replaceable>GROUPS</replaceable> parameter is "
+"a comma separated list of group names."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_groupmod.8.xml:57 sss_usermod.8.xml:91
+msgid ""
+"<option>-r</option>,<option>--remove-group</option> <replaceable>GROUPS</"
+"replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_groupmod.8.xml:62
+msgid ""
+"Remove this group from groups specified by the <replaceable>GROUPS</"
+"replaceable> parameter."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1130 sssd-ldap.5.xml:1432
+#: pam_sss.8.xml:139 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
+#: sssd-ipa.5.xml:248 sssd.8.xml:166 sss_obfuscate.8.xml:103
+#: sss_useradd.8.xml:167 sssd-krb5.5.xml:427 sss_groupadd.8.xml:58
+#: sss_userdel.8.xml:93 sss_groupdel.8.xml:46 sss_groupshow.8.xml:58
+#: sss_usermod.8.xml:138
+msgid "SEE ALSO"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_groupmod.8.xml:74
+msgid ""
+"<citerefentry> <refentrytitle>sss_groupdel</refentrytitle><manvolnum>8</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupadd</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_useradd</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_usermod</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd.conf.5.xml:10 sssd.conf.5.xml:16
+msgid "sssd.conf"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refmeta><manvolnum>
+#: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11
+#: sssd-ipa.5.xml:11 sssd-krb5.5.xml:11
+msgid "5"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refmeta><refmiscinfo>
+#: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12
+#: sssd-ipa.5.xml:12 sssd-krb5.5.xml:12
+msgid "File Formats and Conventions"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sssd.conf.5.xml:17 sssd-ldap.5.xml:17 sssd_krb5_locator_plugin.8.xml:16
+#: sssd-ipa.5.xml:17 sssd-krb5.5.xml:17
+msgid "the configuration file for SSSD"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd.conf.5.xml:21
+msgid "FILE FORMAT"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd.conf.5.xml:29
+#, no-wrap
+msgid ""
+"                <replaceable>[section]</replaceable>\n"
+"                <replaceable>key</replaceable> = <replaceable>value</replaceable>\n"
+"                <replaceable>key2</replaceable> = <replaceable>value2,value3</replaceable>\n"
+"            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:24
+msgid ""
+"The file has an ini-style syntax and consists of sections and parameters. A "
+"section begins with the name of the section in square brackets and continues "
+"until the next section begins. An example of section with single and multi-"
+"valued parameters: <placeholder type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:36
+msgid ""
+"The data types used are string (no quotes needed), integer and bool (with "
+"values of <quote>TRUE/FALSE</quote>)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:41
+msgid ""
+"A line comment starts with a hash sign (<quote>#</quote>) or a semicolon "
+"(<quote>;</quote>)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:46
+msgid ""
+"All sections can have an optional <replaceable>description</replaceable> "
+"parameter. Its function is only as a label for the section."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:52
+msgid ""
+"<filename>sssd.conf</filename> must be a regular file, owned by root and "
+"only root may read from or write to the file."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd.conf.5.xml:58
+msgid "SPECIAL SECTIONS"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><title>
+#: sssd.conf.5.xml:61
+msgid "The [sssd] section"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
+#: sssd.conf.5.xml:70 sssd.conf.5.xml:976
+msgid "Section parameters"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:72
+msgid "config_file_version (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:75
+msgid ""
+"Indicates what is the syntax of the config file. SSSD 0.6.0 and later use "
+"version 2."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:81
+msgid "services"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:84
+msgid ""
+"Comma separated list of services that are started when sssd itself starts."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:88
+msgid "Supported services: nss, pam"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:93 sssd.conf.5.xml:254
+msgid "reconnection_retries (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:96 sssd.conf.5.xml:257
+msgid ""
+"Number of times services should attempt to reconnect in the event of a Data "
+"Provider crash or restart before they give up"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:101 sssd.conf.5.xml:262
+msgid "Default: 3"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:106
+msgid "domains"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:109
+msgid ""
+"A domain is a database containing user information. SSSD can use more "
+"domains at the same time, but at least one must be configured or SSSD won't "
+"start.  This parameter described the list of domains in the order you want "
+"them to be queried."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:119
+msgid "re_expression (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:122
+msgid ""
+"Regular expression that describes how to parse the string containing user "
+"name and domain into these components."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:126
+msgid ""
+"Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
+"which translates to \"the name is everything up to the <quote>@</quote> "
+"sign, the domain everything after that\""
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:131
+msgid ""
+"PLEASE NOTE: the support for non-unique named subpatterns is not available "
+"on all platforms (e.g. RHEL5 and SLES10). Only platforms with libpcre "
+"version 7 or higher can support non-unique named subpatterns."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:138
+msgid ""
+"PLEASE NOTE ALSO: older version of libpcre only support the Python syntax (?"
+"P&lt;name&gt;) to label subpatterns."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:145
+msgid "full_name_format (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:148
+msgid ""
+"A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
+"manvolnum> </citerefentry>-compatible format that describes how to translate "
+"a (name, domain) tuple into a fully qualified name."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:156
+msgid "Default: <quote>%1$s@%2$s</quote>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:161
+msgid "try_inotify (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:164
+msgid ""
+"SSSD monitors the state of resolv.conf to identify when it needs to update "
+"its internal DNS resolver. By default, we will attempt to use inotify for "
+"this, and will fall back to polling resolv.conf every five seconds if "
+"inotify cannot be used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:172
+msgid ""
+"There are some limited situations where it is preferred that we should skip "
+"even trying to use inotify. In these rare cases, this option should be set "
+"to 'false'"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:178
+msgid ""
+"Default: true on platforms where inotify is supported. False on other "
+"platforms."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:182
+msgid ""
+"Note: this option will have no effect on platforms where inotify is "
+"unavailable. On these platforms, polling will always be used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:189
+msgid "krb5_rcache_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:192
+msgid ""
+"Directory on the filesystem where SSSD should store Kerberos replay cache "
+"files."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:196
+msgid ""
+"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
+"SSSD to let libkrb5 decide the appropriate location for the replay cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:202
+msgid ""
+"Default: Distribution-specific and specified at build-time. "
+"(__LIBKRB5_DEFAULTS__ if not configured)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sssd.conf.5.xml:63
+msgid ""
+"Individual pieces of SSSD functionality are provided by special SSSD "
+"services that are started and stopped together with SSSD.  The services are "
+"managed by a special service frequently called <quote>monitor</quote>. The "
+"<quote>[sssd]</quote> section is used to configure the monitor as well as "
+"some other important options like the identity domains.  <placeholder type="
+"\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd.conf.5.xml:215
+msgid "SERVICES SECTIONS"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:217
+msgid ""
+"Settings that can be used to configure different services are described in "
+"this section. They should reside in the [<replaceable>$NAME</replaceable>] "
+"section, for example, for NSS service, the section would be <quote>[nss]</"
+"quote>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><title>
+#: sssd.conf.5.xml:224
+msgid "General service configuration options"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sssd.conf.5.xml:226
+msgid "These options can be used to configure any service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:230
+msgid "debug_level (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:233
+msgid ""
+"Sets the debug level for the service. The value can be in range from 0 (only "
+"critical messages) to 10 (very verbose)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:238 sssd.conf.5.xml:332
+msgid "Default: 0"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:243 sssd.8.xml:58
+msgid "debug_timestamps (bool)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:246 sssd.8.xml:61
+msgid "Add a timestamp to the debug messages"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:249 sssd.conf.5.xml:373 sssd-ldap.5.xml:1058
+#: sssd-ldap.5.xml:1163 sssd-ipa.5.xml:155
+msgid "Default: true"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:267
+msgid "command (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:270
+msgid ""
+"By default, the executable representing this service is called <command>sssd_"
+"${service_name}</command>.  This directive allows to change the executable "
+"name for the service. In the vast majority of configurations, the default "
+"values should suffice."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:278
+msgid "Default: <command>sssd_${service_name}</command>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><title>
+#: sssd.conf.5.xml:286
+msgid "NSS configuration options"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sssd.conf.5.xml:288
+msgid ""
+"These options can be used to configure the Name Service Switch (NSS) service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:293
+msgid "enum_cache_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:296
+msgid ""
+"How many seconds should nss_sss cache enumerations (requests for info about "
+"all users)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:300
+msgid "Default: 120"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:305
+msgid "entry_cache_nowait_percentage (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:308
+msgid ""
+"The entry cache can be set to automatically update entries in the background "
+"if they are requested beyond a percentage of the entry_cache_timeout value "
+"for the domain."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:314
+msgid ""
+"For example, if the domain's entry_cache_timeout is set to 30s and "
+"entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
+"after 15 seconds past the last cache update will be returned immediately, "
+"but the SSSD will go and update the cache on its own, so that future "
+"requests will not need to block waiting for a cache update."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:324
+msgid ""
+"Valid values for this option are 0-99 and represent a percentage of the "
+"entry_cache_timeout for each domain. For performance reasons, this "
+"percentage will never reduce the nowait timeout to less than 10 seconds.  (0 "
+"disables this feature)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:337
+msgid "entry_negative_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:340
+msgid ""
+"Specifies for how many seconds nss_sss should cache negative cache hits "
+"(that is, queries for invalid database entries, like nonexistent ones)  "
+"before asking the back end again."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:346 sssd-krb5.5.xml:223
+msgid "Default: 15"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:351
+msgid "filter_users, filter_groups (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:354
+msgid ""
+"Exclude certain users from being fetched from the sss NSS database. This is "
+"particularly useful for system accounts. This option can also be set per-"
+"domain or include fully-qualified names to filter only users from the "
+"particular domain."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:361
+msgid "Default: root"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:366
+msgid "filter_users_in_groups (bool)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:369
+msgid ""
+"If you want filtered user still be group members set this option to false."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:378
+msgid "override_homedir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:387 sssd-krb5.5.xml:166
+msgid "%u"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:388 sssd-krb5.5.xml:167
+msgid "login name"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:391 sssd-krb5.5.xml:170
+msgid "%U"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:392
+msgid "UID number"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:395 sssd-krb5.5.xml:188
+msgid "%d"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:396
+msgid "domain name"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:399
+msgid "%f"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:400
+msgid "fully qualified user name (user@domain)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:403 sssd-krb5.5.xml:200
+msgid "%%"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:404 sssd-krb5.5.xml:201
+msgid "a literal '%'"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:381
+msgid ""
+"Override the user's home directory. You can either provide an absolute value "
+"or a template. In the template, the following sequences are substituted: "
+"<placeholder type=\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:410
+msgid "This option can also be set per-domain."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:415
+msgid "allowed_shells (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:418
+msgid ""
+"Restrict user shell to one of the listed values. The order of evaluation is:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:421
+msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:425
+msgid ""
+"2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
+"quote>, use the value of the shell_fallback parameter."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:430
+msgid ""
+"3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
+"shells</quote>, a nologin shell is used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:435
+msgid "An empty string for shell is passed as-is to libc."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:438
+msgid ""
+"The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
+"that a restart of the SSSD is required in case a new shell is installed."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:442
+msgid "Default: Not set. The user shell is automatically used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:447
+msgid "vetoed_shells (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:450
+msgid "Replace any instance of these shells with the shell_fallback"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:455
+msgid "shell_fallback (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:458
+msgid ""
+"The default shell to use if an allowed shell is not installed on the machine."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:462
+msgid "Default: /bin/sh"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><title>
+#: sssd.conf.5.xml:469
+msgid "PAM configuration options"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sssd.conf.5.xml:471
+msgid ""
+"These options can be used to configure the Pluggable Authentication Module "
+"(PAM) service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:476
+msgid "offline_credentials_expiration (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:479
+msgid ""
+"If the authentication provider is offline, how long should we allow cached "
+"logins (in days since the last successful online login)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:484 sssd.conf.5.xml:497
+msgid "Default: 0 (No limit)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:490
+msgid "offline_failed_login_attempts (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:493
+msgid ""
+"If the authentication provider is offline, how many failed login attempts "
+"are allowed."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:503
+msgid "offline_failed_login_delay (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:506
+msgid ""
+"The time in minutes which has to pass after offline_failed_login_attempts "
+"has been reached before a new login attempt is possible."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:511
+msgid ""
+"If set to 0 the user cannot authenticate offline if "
+"offline_failed_login_attempts has been reached. Only a successful online "
+"authentication can enable enable offline authentication again."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:517 sssd.conf.5.xml:570 sssd.conf.5.xml:906
+msgid "Default: 5"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:523
+msgid "pam_verbosity (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:526
+msgid ""
+"Controls what kind of messages are shown to the user during authentication. "
+"The higher the number to more messages are displayed."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:531
+msgid "Currently sssd supports the following values:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:534
+msgid "<emphasis>0</emphasis>: do not show any message"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:537
+msgid "<emphasis>1</emphasis>: show only important messages"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:541
+msgid "<emphasis>2</emphasis>: show informational messages"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:544
+msgid "<emphasis>3</emphasis>: show all messages and debug information"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:548
+msgid "Default: 1"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:553
+msgid "pam_id_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:556
+msgid ""
+"For any PAM request while SSSD is online, the SSSD will attempt to "
+"immediately update the cached identity information for the user in order to "
+"ensure that authentication takes place with the latest information."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:562
+msgid ""
+"A complete PAM conversation may perform multiple PAM requests, such as "
+"account management and session opening. This option controls (on a per-"
+"client-application basis) how long (in seconds) we can cache the identity "
+"information to avoid excessive round-trips to the identity provider."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:576
+msgid "pam_pwd_expiration_warning (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:579
+msgid "Display a warning N days before the password expires."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:582
+msgid ""
+"Please note that the backend server has to provide information about the "
+"expiration time of the password.  If this information is missing, sssd "
+"cannot display a warning."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:588
+msgid "Default: 7"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd.conf.5.xml:597
+msgid "DOMAIN SECTIONS"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:604
+msgid "min_id,max_id (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:607
+msgid ""
+"UID and GID limits for the domain. If a domain contains an entry that is "
+"outside these limits, it is ignored."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:612
+msgid ""
+"For users, this affects the primary GID limit. The user will not be returned "
+"to NSS if either the UID or the primary GID is outside the range. For non-"
+"primary group memberships, those that are in range will be reported as "
+"expected."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:619
+msgid "Default: 1 for min_id, 0 (no limit) for max_id"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:625
+msgid "timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:628
+msgid ""
+"Timeout in seconds between heartbeats for this domain.  This is used to "
+"ensure that the backend process is alive and capable of answering requests."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:633
+msgid "Default: 10"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:639
+msgid "enumerate (bool)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:642
+msgid ""
+"Determines if a domain can be enumerated. This parameter can have one of the "
+"following values:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:646
+msgid "TRUE = Users and groups are enumerated"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:649
+msgid "FALSE = No enumerations for this domain"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:652 sssd.conf.5.xml:704 sssd.conf.5.xml:758
+msgid "Default: FALSE"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:655
+msgid ""
+"Note: Enabling enumeration has a moderate performance impact on SSSD while "
+"enumeration is running. It may take up to several minutes after SSSD startup "
+"to fully complete enumerations.  During this time, individual requests for "
+"information will go directly to LDAP, though it may be slow, due to the "
+"heavy enumeration processing."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:665
+msgid ""
+"While the first enumeration is running, requests for the complete user or "
+"group lists may return no results until it completes."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:670
+msgid ""
+"Further, enabling enumeration may increase the time necessary to detect "
+"network disconnection, as longer timeouts are required to ensure that "
+"enumeration lookups are completed successfully.  For more information, refer "
+"to the man pages for the specific id_provider in use."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:681
+msgid "entry_cache_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:684
+msgid ""
+"How many seconds should nss_sss consider entries valid before asking the "
+"backend again"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:688
+msgid "Default: 5400"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:693
+msgid "cache_credentials (bool)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:696
+msgid "Determines if user credentials are also cached in the local LDB cache"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:700
+msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:709
+msgid "account_cache_expiration (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:712
+msgid ""
+"Number of days entries are left in cache after last successful login before "
+"being removed during a cleanup of the cache. 0 means keep forever.  The "
+"value of this parameter must be greater than or equal to "
+"offline_credentials_expiration."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:719
+msgid "Default: 0 (unlimited)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:725
+msgid "id_provider (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:728
+msgid "The Data Provider identity backend to use for this domain."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:732
+msgid "Supported backends:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:735
+msgid "proxy: Support a legacy NSS provider"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:738
+msgid "local: SSSD internal local provider"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:741
+msgid "ldap: LDAP provider"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:747
+msgid "use_fully_qualified_names (bool)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:750
+msgid ""
+"If set to TRUE, all requests to this domain must use fully qualified names. "
+"For example, if used in LOCAL domain that contains a \"test\" user, "
+"<command>getent passwd test</command> wouldn't find the user while "
+"<command>getent passwd test@LOCAL</command> would."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:763
+msgid "auth_provider (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:766
+msgid ""
+"The authentication provider used for the domain.  Supported auth providers "
+"are:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:770
+msgid ""
+"<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
+"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+"citerefentry> for more information on configuring LDAP."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:777
+msgid ""
+"<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
+"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
+"citerefentry> for more information on configuring Kerberos."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:784
+msgid ""
+"<quote>proxy</quote> for relaying authentication to some other PAM target."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:787
+msgid "<quote>none</quote> disables authentication explicitly."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:790
+msgid ""
+"Default: <quote>id_provider</quote> is used if it is set and can handle "
+"authentication requests."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:796
+msgid "access_provider (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:799
+msgid ""
+"The access control provider used for the domain.  There are two built-in "
+"access providers (in addition to any included in installed backends)  "
+"Internal special providers are:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:805
+msgid "<quote>permit</quote> always allow access."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:808
+msgid "<quote>deny</quote> always deny access."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:811
+msgid ""
+"<quote>simple</quote> access control based on access or deny lists. See "
+"<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
+"manvolnum></citerefentry> for more information on configuring the simple "
+"access module."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:818
+msgid "Default: <quote>permit</quote>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:823
+msgid "chpass_provider (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:826
+msgid ""
+"The provider which should handle change password operations for the domain.  "
+"Supported change password providers are:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:831
+msgid ""
+"<quote>ipa</quote> to change a password stored in an IPA server.  See "
+"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> for more information on configuring IPA."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:839
+msgid ""
+"<quote>ldap</quote> to change a password stored in a LDAP server.  See "
+"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> for more information on configuring LDAP."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:847
+msgid ""
+"<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
+"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
+"citerefentry> for more information on configuring Kerberos."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:855
+msgid ""
+"<quote>proxy</quote> for relaying password changes to some other PAM target."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:859
+msgid "<quote>none</quote> disallows password changes explicitly."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:862
+msgid ""
+"Default: <quote>auth_provider</quote> is used if it is set and can handle "
+"change password requests."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:869
+msgid "lookup_family_order (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:872
+msgid ""
+"Provides the ability to select preferred address family to use when "
+"performing DNS lookups."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:876
+msgid "Supported values:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:879
+msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:882
+msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:885
+msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:888
+msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:891
+msgid "Default: ipv4_first"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:897
+msgid "dns_resolver_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:900
+msgid ""
+"Defines the amount of time (in seconds) to wait for a reply from the DNS "
+"resolver before assuming that it is unreachable. If this timeout is reached, "
+"the domain will continue to operate in offline mode."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:912
+msgid "dns_discovery_domain (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:915
+msgid ""
+"If service discovery is used in the back end, specifies the domain part of "
+"the service discovery DNS query."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:919
+msgid "Default: Use the domain part of machine's hostname"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:925
+msgid "override_gid (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:928
+msgid "Override the primary GID value with the one specified."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:599
+msgid ""
+"These configuration options can be present in a domain configuration "
+"section, that is, in a section called <quote>[domain/<replaceable>NAME</"
+"replaceable>]</quote> <placeholder type=\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:940
+msgid "proxy_pam_target (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:943
+msgid "The proxy target PAM proxies to."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:946
+msgid ""
+"Default: not set by default, you have to take an existing pam configuration "
+"or create a new one and add the service name here."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:954
+msgid "proxy_lib_name (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:957
+msgid ""
+"The name of the NSS library to use in proxy domains. The NSS functions "
+"searched for in the library are in the form of _nss_$(libName)_$(function), "
+"for example _nss_files_getpwent."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:936
+msgid ""
+"Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
+"\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><title>
+#: sssd.conf.5.xml:969
+msgid "The local domain section"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sssd.conf.5.xml:971
+msgid ""
+"This section contains settings for domain that stores users and groups in "
+"SSSD native database, that is, a domain that uses "
+"<replaceable>id_provider=local</replaceable>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:978
+msgid "default_shell (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:981
+msgid "The default shell for users created with SSSD userspace tools."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:985
+msgid "Default: <filename>/bin/bash</filename>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:990
+msgid "base_directory (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:993
+msgid ""
+"The tools append the login name to <replaceable>base_directory</replaceable> "
+"and use that as the home directory."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:998
+msgid "Default: <filename>/home</filename>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1003
+msgid "create_homedir (bool)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1006
+msgid ""
+"Indicate if a home directory should be created by default for new users.  "
+"Can be overridden on command line."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1010 sssd.conf.5.xml:1022
+msgid "Default: TRUE"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1015
+msgid "remove_homedir (bool)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1018
+msgid ""
+"Indicate if a home directory should be removed by default for deleted "
+"users.  Can be overridden on command line."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1027
+msgid "homedir_umask (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1030
+msgid ""
+"Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
+"<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
+"on a newly created home directory."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1038
+msgid "Default: 077"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1043
+msgid "skel_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1046
+msgid ""
+"The skeleton directory, which contains files and directories to be copied in "
+"the user's home directory, when the home directory is created by "
+"<citerefentry> <refentrytitle>sss_useradd</refentrytitle> <manvolnum>8</"
+"manvolnum> </citerefentry>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1056
+msgid "Default: <filename>/etc/skel</filename>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1061
+msgid "mail_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1064
+msgid ""
+"The mail spool directory. This is needed to manipulate the mailbox when its "
+"corresponding user account is modified or deleted.  If not specified, a "
+"default value is used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1071
+msgid "Default: <filename>/var/mail</filename>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1076
+msgid "userdel_cmd (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1079
+msgid ""
+"The command that is run after a user is removed.  The command us passed the "
+"username of the user being removed as the first and only parameter. The "
+"return code of the command is not taken into account."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1085
+msgid "Default: None, no command is run"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd.conf.5.xml:1095 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
+#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:408
+msgid "EXAMPLE"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd.conf.5.xml:1101
+#, no-wrap
+msgid ""
+"[sssd]\n"
+"domains = LDAP\n"
+"services = nss, pam\n"
+"config_file_version = 2\n"
+"\n"
+"[nss]\n"
+"filter_groups = root\n"
+"filter_users = root\n"
+"\n"
+"[pam]\n"
+"\n"
+"[domain/LDAP]\n"
+"id_provider = ldap\n"
+"ldap_uri = ldap://ldap.example.com\n"
+"ldap_search_base = dc=example,dc=com\n"
+"\n"
+"auth_provider = krb5\n"
+"krb5_server = kerberos.example.com\n"
+"krb5_realm = EXAMPLE.COM\n"
+"cache_credentials = true\n"
+"\n"
+"min_id = 10000\n"
+"max_id = 20000\n"
+"enumerate = False\n"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:1097
+msgid ""
+"The following example shows a typical SSSD config. It does not describe "
+"configuration of the domains themselves - refer to documentation on "
+"configuring domains for more details.  <placeholder type=\"programlisting\" "
+"id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:1132
+msgid ""
+"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
+"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_groupdel</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_groupmod</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_useradd</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_usermod</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>pam_sss</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd-ldap.5.xml:10 sssd-ldap.5.xml:16
+msgid "sssd-ldap"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ldap.5.xml:23
+msgid ""
+"This manual page describes the configuration of LDAP domains for "
+"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
+"</citerefentry>.  Refer to the <quote>FILE FORMAT</quote> section of the "
+"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> manual page for detailed syntax information."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ldap.5.xml:35
+msgid "You can configure SSSD to use more than one LDAP domain."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ldap.5.xml:38
+msgid ""
+"LDAP back end supports id, auth, access and chpass providers. If you want to "
+"authenticate against an LDAP server either TLS/SSL or LDAPS is required. "
+"<command>sssd</command> <emphasis>does not</emphasis> support authentication "
+"over an unencrypted channel.  If the LDAP server is used only as an identity "
+"provider, an encrypted channel is not needed. Please refer to "
+"<quote>ldap_access_filter</quote> config option for more information about "
+"using LDAP as an access provider."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:61
+#: sssd-krb5.5.xml:63
+msgid "CONFIGURATION OPTIONS"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:60
+msgid "ldap_uri (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:63
+msgid ""
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference. Refer to the <quote>FAILOVER</"
+"quote> section for more information on failover and server redundancy.  If "
+"not specified, service discovery is enabled. For more information, refer to "
+"the <quote>SERVICE DISCOVERY</quote> section."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:70
+msgid "The format of the URI must match the format defined in RFC 2732:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:73
+msgid "ldap[s]://&lt;host&gt;[:port]"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:76
+msgid ""
+"For explicit IPv6 addresses, &lt;host&gt; must be enclosed in brackets []"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:79
+msgid "example: ldap://[fc00::126:25]:389"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:85
+msgid "ldap_chpass_uri (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:88
+msgid ""
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference to change the password of a user. "
+"Refer to the <quote>FAILOVER</quote> section for more information on "
+"failover and server redundancy."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:95
+msgid "To enable service discovery ldap_chpass_dns_service_name must be set."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:99
+msgid "Default: empty, i.e. ldap_uri is used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:105
+msgid "ldap_search_base (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:108
+msgid "The default base DN to use for performing LDAP user operations."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:112
+msgid ""
+"Default: If not set the value of the defaultNamingContext or namingContexts "
+"attribute from the RootDSE of the LDAP server is used. If "
+"defaultNamingContext does not exists or has an empty value namingContexts is "
+"used.  The namingContexts attribute must have a single value with the DN of "
+"the search base of the LDAP server to make this work. Multiple values are "
+"are not supported."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:126
+msgid "ldap_schema (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:129
+msgid ""
+"Specifies the Schema Type in use on the target LDAP server.  Depending on "
+"the selected schema, the default attribute names retrieved from the servers "
+"may vary.  The way that some attributes are handled may also differ.  Three "
+"schema types are currently supported: rfc2307 rfc2307bis IPA The main "
+"difference between these schema types is how group memberships are recorded "
+"in the server.  With rfc2307, group members are listed by name in the "
+"<emphasis>memberUid</emphasis> attribute.  With rfc2307bis and IPA, group "
+"members are listed by DN and stored in the <emphasis>member</emphasis> "
+"attribute."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:148
+msgid "Default: rfc2307"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:154
+msgid "ldap_default_bind_dn (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:157
+msgid "The default bind DN to use for performing LDAP operations."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:164
+msgid "ldap_default_authtok_type (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:167
+msgid "The type of the authentication token of the default bind DN."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:171
+msgid "The two mechanisms currently supported are:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:174
+msgid "password"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:177
+msgid "obfuscated_password"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:180
+msgid "Default: password"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:186
+msgid "ldap_default_authtok (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:189
+msgid ""
+"The authentication token of the default bind DN.  Only clear text passwords "
+"are currently supported."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:196
+msgid "ldap_user_object_class (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:199
+msgid "The object class of a user entry in LDAP."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:202
+msgid "Default: posixAccount"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:208
+msgid "ldap_user_name (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:211
+msgid "The LDAP attribute that corresponds to the user's login name."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:215
+msgid "Default: uid"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:221
+msgid "ldap_user_uid_number (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:224
+msgid "The LDAP attribute that corresponds to the user's id."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:228
+msgid "Default: uidNumber"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:234
+msgid "ldap_user_gid_number (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:237
+msgid "The LDAP attribute that corresponds to the user's primary group id."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:241 sssd-ldap.5.xml:637
+msgid "Default: gidNumber"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:247
+msgid "ldap_user_gecos (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:250
+msgid "The LDAP attribute that corresponds to the user's gecos field."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:254
+msgid "Default: gecos"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:260
+msgid "ldap_user_home_directory (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:263
+msgid "The LDAP attribute that contains the name of the user's home directory."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:267
+msgid "Default: homeDirectory"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:273
+msgid "ldap_user_shell (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:276
+msgid "The LDAP attribute that contains the path to the user's default shell."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:280
+msgid "Default: loginShell"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:286
+msgid "ldap_user_uuid (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:289
+msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:293 sssd-ldap.5.xml:663 sssd-ldap.5.xml:756
+msgid "Default: nsUniqueId"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:299
+msgid "ldap_user_modify_timestamp (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:302 sssd-ldap.5.xml:672 sssd-ldap.5.xml:765
+msgid ""
+"The LDAP attribute that contains timestamp of the last modification of the "
+"parent object."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:306 sssd-ldap.5.xml:676 sssd-ldap.5.xml:769
+msgid "Default: modifyTimestamp"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:312
+msgid "ldap_user_shadow_last_change (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:315
+msgid ""
+"When using ldap_pwd_policy=shadow, this parameter contains the name of an "
+"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of "
+"the last password change)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:325
+msgid "Default: shadowLastChange"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:331
+msgid "ldap_user_shadow_min (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:334
+msgid ""
+"When using ldap_pwd_policy=shadow, this parameter contains the name of an "
+"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum "
+"password age)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:343
+msgid "Default: shadowMin"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:349
+msgid "ldap_user_shadow_max (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:352
+msgid ""
+"When using ldap_pwd_policy=shadow, this parameter contains the name of an "
+"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum "
+"password age)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:361
+msgid "Default: shadowMax"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:367
+msgid "ldap_user_shadow_warning (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:370
+msgid ""
+"When using ldap_pwd_policy=shadow, this parameter contains the name of an "
+"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart "
+"(password warning period)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:380
+msgid "Default: shadowWarning"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:386
+msgid "ldap_user_shadow_inactive (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:389
+msgid ""
+"When using ldap_pwd_policy=shadow, this parameter contains the name of an "
+"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart "
+"(password inactivity period)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:399
+msgid "Default: shadowInactive"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:405
+msgid "ldap_user_shadow_expire (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:408
+msgid ""
+"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this "
+"parameter contains the name of an LDAP attribute corresponding to its "
+"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> counterpart (account expiration date)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:418
+msgid "Default: shadowExpire"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:424
+msgid "ldap_user_krb_last_pwd_change (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:427
+msgid ""
+"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of "
+"an LDAP attribute storing the date and time of last password change in "
+"kerberos."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:433
+msgid "Default: krbLastPwdChange"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:439
+msgid "ldap_user_krb_password_expiration (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:442
+msgid ""
+"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of "
+"an LDAP attribute storing the date and time when current password expires."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:448
+msgid "Default: krbPasswordExpiration"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:454
+msgid "ldap_user_ad_account_expires (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:457
+msgid ""
+"When using ldap_account_expire_policy=ad, this parameter contains the name "
+"of an LDAP attribute storing the expiration time of the account."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:462
+msgid "Default: accountExpires"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:468
+msgid "ldap_user_ad_user_account_control (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:471
+msgid ""
+"When using ldap_account_expire_policy=ad, this parameter contains the name "
+"of an LDAP attribute storing the user account control bit field."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:476
+msgid "Default: userAccountControl"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:482
+msgid "ldap_ns_account_lock (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:485
+msgid ""
+"When using ldap_account_expire_policy=rhds or equivalent, this parameter "
+"determines if access is allowed or not."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:490
+msgid "Default: nsAccountLock"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:496
+msgid "ldap_user_principal (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:499
+msgid ""
+"The LDAP attribute that contains the user's Kerberos User Principal Name "
+"(UPN)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:503
+msgid "Default: krbPrincipalName"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:509
+msgid "ldap_force_upper_case_realm (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:512
+msgid ""
+"Some directory servers, for example Active Directory, might deliver the "
+"realm part of the UPN in lower case, which might cause the authentication to "
+"fail. Set this option to a non-zero value if you want to use an upper-case "
+"realm."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:519 sssd-ldap.5.xml:990 sssd-ipa.5.xml:115 sssd.8.xml:64
+#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:269
+msgid "Default: false"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:525
+msgid "ldap_enumeration_refresh_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:528
+msgid ""
+"The LDAP attribute that contains how many seconds SSSD has to wait before "
+"refreshing its cache of enumerated records."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:533
+msgid "Default: 300"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:539
+msgid "ldap_purge_cache_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:542
+msgid ""
+"Determine how often to check the cache for inactive entries (such as groups "
+"with no members and users who have never logged in) and remove them to save "
+"space."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:548
+msgid "Setting this option to zero will disable the cache cleanup operation."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:552
+msgid "Default: 10800 (12 hours)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:558
+msgid "ldap_user_fullname (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:561
+msgid "The LDAP attribute that corresponds to the user's full name."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:565 sssd-ldap.5.xml:624 sssd-ldap.5.xml:717
+msgid "Default: cn"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:571
+msgid "ldap_user_member_of (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:574
+msgid "The LDAP attribute that lists the user's group memberships."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:578
+msgid "Default: memberOf"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:584
+msgid "ldap_user_authorized_service (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:587
+msgid ""
+"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will "
+"use the presence of the authorizedService attribute in the user's LDAP entry "
+"to determine access privilege."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:594
+msgid ""
+"An explicit deny (!svc) is resolved first. Second, SSSD searches for "
+"explicit allow (svc) and finally for allow_all (*)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:599
+msgid "Default: authorizedService"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:605
+msgid "ldap_group_object_class (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:608
+msgid "The object class of a group entry in LDAP."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:611
+msgid "Default: posixGroup"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:617
+msgid "ldap_group_name (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:620
+msgid "The LDAP attribute that corresponds to the group name."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:630
+msgid "ldap_group_gid_number (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:633
+msgid "The LDAP attribute that corresponds to the group's id."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:643
+msgid "ldap_group_member (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:646
+msgid "The LDAP attribute that contains the names of the group's members."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:650
+msgid "Default: memberuid (rfc2307) / member (rfc2307bis)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:656
+msgid "ldap_group_uuid (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:659
+msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:669
+msgid "ldap_group_modify_timestamp (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:682
+msgid "ldap_group_nesting_level (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:685
+msgid ""
+"If ldap_schema is set to a schema format that supports nested groups (e.g. "
+"RFC2307bis), then this option controls how many levels of nesting SSSD will "
+"follow. This option has no effect on the RFC2307 schema."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:692
+msgid "Default: 2"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:698
+msgid "ldap_netgroup_object_class (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:701
+msgid "The object class of a netgroup entry in LDAP."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:704
+msgid "Default: nisNetgroup"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:710
+msgid "ldap_netgroup_name (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:713
+msgid "The LDAP attribute that corresponds to the netgroup name."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:723
+msgid "ldap_netgroup_member (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:726
+msgid "The LDAP attribute that contains the names of the netgroup's members."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:730
+msgid "Default: memberNisNetgroup"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:736
+msgid "ldap_netgroup_triple (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:739
+msgid ""
+"The LDAP attribute that contains the (host, user, domain) netgroup triples."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:743
+msgid "Default: nisNetgroupTriple"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:749
+msgid "ldap_netgroup_uuid (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:752
+msgid ""
+"The LDAP attribute that contains the UUID/GUID of an LDAP netgroup object."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:762
+msgid "ldap_netgroup_modify_timestamp (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:775
+msgid "ldap_search_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:778
+msgid ""
+"Specifies the timeout (in seconds) that ldap searches are allowed to run "
+"before they are cancelled and cached results are returned (and offline mode "
+"is entered)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:784
+msgid ""
+"Note: this option is subject to change in future versions of the SSSD. It "
+"will likely be replaced at some point by a series of timeouts for specific "
+"lookup types."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:790 sssd-ldap.5.xml:832 sssd-ldap.5.xml:847
+msgid "Default: 6"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:796
+msgid "ldap_enumeration_search_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:799
+msgid ""
+"Specifies the timeout (in seconds) that ldap searches for user and group "
+"enumerations are allowed to run before they are cancelled and cached results "
+"are returned (and offline mode is entered)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:806
+msgid "Default: 60"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:812
+msgid "ldap_network_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:815
+msgid ""
+"Specifies the timeout (in seconds) after which the <citerefentry> "
+"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/"
+"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</"
+"manvolnum> </citerefentry> following a <citerefentry> "
+"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </"
+"citerefentry> returns in case of no activity."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:838
+msgid "ldap_opt_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:841
+msgid ""
+"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs "
+"will abort if no response is received. Also controls the timeout when "
+"communicating with the KDC in case of SASL bind."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:853
+msgid "ldap_page_size (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:856
+msgid ""
+"Specify the number of records to retrieve from LDAP in a single request. "
+"Some LDAP servers enforce a maximum limit per-request."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:861
+msgid "Default: 1000"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:867
+msgid "ldap_tls_reqcert (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:870
+msgid ""
+"Specifies what checks to perform on server certificates in a TLS session, if "
+"any. It can be specified as one of the following values:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:876
+msgid ""
+"<emphasis>never</emphasis> = The client will not request or check any server "
+"certificate."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:880
+msgid ""
+"<emphasis>allow</emphasis> = The server certificate is requested. If no "
+"certificate is provided, the session proceeds normally. If a bad certificate "
+"is provided, it will be ignored and the session proceeds normally."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:887
+msgid ""
+"<emphasis>try</emphasis> = The server certificate is requested. If no "
+"certificate is provided, the session proceeds normally. If a bad certificate "
+"is provided, the session is immediately terminated."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:893
+msgid ""
+"<emphasis>demand</emphasis> = The server certificate is requested. If no "
+"certificate is provided, or a bad certificate is provided, the session is "
+"immediately terminated."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:899
+msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:903
+msgid "Default: hard"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:909
+msgid "ldap_tls_cacert (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:912
+msgid ""
+"Specifies the file that contains certificates for all of the Certificate "
+"Authorities that <command>sssd</command> will recognize."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:917 sssd-ldap.5.xml:935 sssd-ldap.5.xml:976
+msgid ""
+"Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap."
+"conf</filename>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:924
+msgid "ldap_tls_cacertdir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:927
+msgid ""
+"Specifies the path of a directory that contains Certificate Authority "
+"certificates in separate individual files. Typically the file names need to "
+"be the hash of the certificate followed by '.0'.  If available, "
+"<command>cacertdir_rehash</command> can be used to create the correct names."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:942
+msgid "ldap_tls_cert (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:945
+msgid "Specifies the file that contains the certificate for the client's key."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:359
+msgid "Default: not set"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:955
+msgid "ldap_tls_key (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:958
+msgid "Specifies the file that contains the client's key."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:967
+msgid "ldap_tls_cipher_suite (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:970
+msgid ""
+"Specifies acceptable cipher suites.  Typically this is a colon sperated "
+"list.  See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
+"<manvolnum>5</manvolnum></citerefentry> for format."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:983
+msgid "ldap_id_use_start_tls (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:986
+msgid ""
+"Specifies that the id_provider connection must also use <systemitem class="
+"\"protocol\">tls</systemitem> to protect the channel."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:996
+msgid "ldap_sasl_mech (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:999
+msgid ""
+"Specify the SASL mechanism to use.  Currently only GSSAPI is tested and "
+"supported."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1003 sssd-ldap.5.xml:1145
+msgid "Default: none"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1009
+msgid "ldap_sasl_authid (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1012
+msgid ""
+"Specify the SASL authorization id to use.  When GSSAPI is used, this "
+"represents the Kerberos principal used for authentication to the directory."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1017
+msgid "Default: host/machine.fqdn@REALM"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1023
+msgid "ldap_sasl_canonicalize (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1026
+msgid ""
+"If set to true, the LDAP library would perform a reverse lookup to "
+"canonicalize the host name during a SASL bind."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1031
+msgid "Default: false;"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1037
+msgid "ldap_krb5_keytab (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1040
+msgid "Specify the keytab to use when using SASL/GSSAPI."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1043
+msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1049
+msgid "ldap_krb5_init_creds (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1052
+msgid ""
+"Specifies that the id_provider should init Kerberos credentials (TGT).  This "
+"action is performed only if SASL is used and the mechanism selected is "
+"GSSAPI."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1064
+msgid "ldap_krb5_ticket_lifetime (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1067
+msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1071
+msgid "Default: 86400 (24 hours)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1077 sssd-krb5.5.xml:74
+msgid "krb5_server (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1080 sssd-krb5.5.xml:77
+msgid ""
+"Specifies the comma-separated list of IP addresses or hostnames of the "
+"Kerberos servers to which SSSD should connect in the order of preference. "
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
+"colon) may be appended to the addresses or hostnames.  If empty, service "
+"discovery is enabled - for more information, refer to the <quote>SERVICE "
+"DISCOVERY</quote> section."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1092 sssd-krb5.5.xml:89
+msgid ""
+"When using service discovery for KDC or kpasswd servers, SSSD first searches "
+"for DNS entries that specify _udp as the protocol and falls back to _tcp if "
+"none are found."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1097 sssd-krb5.5.xml:94
+msgid ""
+"This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. "
+"While the legacy name is recognized for the time being, users are advised to "
+"migrate their config files to use <quote>krb5_server</quote> instead."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1106 sssd-ipa.5.xml:165 sssd-krb5.5.xml:103
+msgid "krb5_realm (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1109
+msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1112
+msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1118
+msgid "ldap_pwd_policy (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1121
+msgid ""
+"Select the policy to evaluate the password expiration on the client side. "
+"The following values are allowed:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1126
+msgid ""
+"<emphasis>none</emphasis> - No evaluation on the client side. This option "
+"cannot disable server-side password policies."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1131
+msgid ""
+"<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</"
+"refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to "
+"evaluate if the password has expired.  Note that the current version of sssd "
+"cannot update this attribute during a password change."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1139
+msgid ""
+"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
+"to determine if the password has expired. Use chpass_provider=krb5 to update "
+"these attributes when the password is changed."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1151
+msgid "ldap_referrals (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1154
+msgid "Specifies whether automatic referral chasing should be enabled."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1158
+msgid ""
+"Please note that sssd only supports referral chasing when it is compiled "
+"with OpenLDAP version 2.4.13 or higher."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1169
+msgid "ldap_dns_service_name (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1172
+msgid "Specifies the service name to use when service discovery is enabled."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1176
+msgid "Default: ldap"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1182
+msgid "ldap_chpass_dns_service_name (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1185
+msgid ""
+"Specifies the service name to use to find an LDAP server which allows "
+"password changes when service discovery is enabled."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1190
+msgid "Default: not set, i.e. service discovery is disabled"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1196
+msgid "ldap_access_filter (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1199
+msgid ""
+"If using access_provider = ldap, this option is mandatory. It specifies an "
+"LDAP search filter criteria that must be met for the user to be granted "
+"access on this host. If access_provider = ldap and this option is not set, "
+"it will result in all users being denied access. Use access_provider = allow "
+"to change this default behavior."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1209
+msgid "Example:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
+#: sssd-ldap.5.xml:1212
+#, no-wrap
+msgid ""
+"access_provider = ldap\n"
+"ldap_access_filter = memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1216
+msgid ""
+"This example means that access to this host is restricted to members of the "
+"\"allowedusers\" group in ldap."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1221
+msgid ""
+"Offline caching for this feature is limited to determining whether the "
+"user's last online login was granted access permission. If they were granted "
+"access during their last login, they will continue to be granted access "
+"while offline and vice-versa."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1229 sssd-ldap.5.xml:1270
+msgid "Default: Empty"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1235
+msgid "ldap_account_expire_policy (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1238
+msgid ""
+"With this option a client side evaluation of access control attributes can "
+"be enabled."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1242
+msgid ""
+"Please note that it is always recommended to use server side access control, "
+"i.e. the LDAP server should deny the bind request with a suitable error code "
+"even if the password is correct."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1249
+msgid "The following values are allowed:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1252
+msgid ""
+"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
+"determine if the account is expired."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1257
+msgid ""
+"<emphasis>ad</emphasis>: use the value of the 32bit field "
+"ldap_user_ad_user_account_control and allow access if the second bit is not "
+"set. If the attribute is missing access is granted. Also the expiration time "
+"of the account is checked."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1264
+msgid ""
+"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</"
+"emphasis>: use the value of ldap_ns_account_lock to check if access is "
+"allowed or not."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1276
+msgid "ldap_access_order (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1279
+msgid "Comma separated list of access control options.  Allowed values are:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1283
+msgid "<emphasis>filter</emphasis>: use ldap_access_filter"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1286
+msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1290
+msgid ""
+"<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
+"to determine access"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1295
+msgid "Default: filter"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1298
+msgid ""
+"Please note that it is a configuration error if a value is used more than "
+"once."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1305
+msgid "ldap_deref (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1308
+msgid ""
+"Specifies how alias dereferencing is done when performing a search. The "
+"following options are allowed:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1313
+msgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1317
+msgid ""
+"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
+"the base object, but not in locating the base object of the search."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1322
+msgid ""
+"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
+"the base object of the search."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1327
+msgid ""
+"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
+"in locating the base object of the search."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1332
+msgid ""
+"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
+"client libraries)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ldap.5.xml:51
+msgid ""
+"All of the common configuration options that apply to SSSD domains also "
+"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section "
+"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> manual page for full details.  <placeholder type="
+"\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-ldap.5.xml:1344
+msgid "ADVANCED OPTIONS"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1351
+msgid "ldap_netgroup_search_base (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1354
+msgid ""
+"An optional base DN to restrict netgroup searches to a specific subtree."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1358 sssd-ldap.5.xml:1372 sssd-ldap.5.xml:1386
+msgid "Default: the value of <emphasis>ldap_search_base</emphasis>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1365
+msgid "ldap_user_search_base (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1368
+msgid "An optional base DN to restrict user searches to a specific subtree."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1379
+msgid "ldap_group_search_base (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1382
+msgid "An optional base DN to restrict group searches to a specific subtree."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ldap.5.xml:1346
+msgid ""
+"These options are supported by LDAP domains, but they should be used with "
+"caution. Please include them in your configuration only if you know what you "
+"are doing.  <placeholder type=\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ldap.5.xml:1402
+msgid ""
+"The following example assumes that SSSD is correctly configured and LDAP is "
+"set to one of the domains in the <replaceable>[domains]</replaceable> "
+"section."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-ldap.5.xml:1408
+#, no-wrap
+msgid ""
+"    [domain/LDAP]\n"
+"    id_provider = ldap\n"
+"    auth_provider = ldap\n"
+"    ldap_uri = ldap://ldap.mydomain.org\n"
+"    ldap_search_base = dc=mydomain,dc=org\n"
+"    ldap_tls_reqcert = demand\n"
+"    cache_credentials = true\n"
+"    enumerate = true\n"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ldap.5.xml:1407 sssd-simple.5.xml:134 sssd-ipa.5.xml:238
+#: sssd-krb5.5.xml:417
+msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-ldap.5.xml:1421 sssd_krb5_locator_plugin.8.xml:61
+msgid "NOTES"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ldap.5.xml:1423
+msgid ""
+"The descriptions of some of the configuration options in this manual page "
+"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 "
+"distribution."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ldap.5.xml:1434
+msgid ""
+"<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
+"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </citerefentry>"
+msgstr ""
+
+#. type: Content of: <refentryinfo>
+#: pam_sss.8.xml:8 include/upstream.xml:2
+msgid ""
+"<productname>SSSD</productname> <orgname>The SSSD upstream - http://"
+"fedorahosted.org/sssd</orgname>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: pam_sss.8.xml:13 pam_sss.8.xml:18
+msgid "pam_sss"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: pam_sss.8.xml:19
+msgid "PAM module for SSSD"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: pam_sss.8.xml:24
+msgid ""
+"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
+"arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: pam_sss.8.xml:45
+msgid ""
+"<command>pam_sss.so</command> is the PAM interface to the System Security "
+"Services daemon (SSSD). Errors and results are logged through <command>syslog"
+"(3)</command> with the LOG_AUTHPRIV facility."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:55
+msgid "<option>quiet</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:58
+msgid "Suppress log messages for unknown users."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:63
+msgid "<option>forward_pass</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:66
+msgid ""
+"If <option>forward_pass</option> is set the entered password is put on the "
+"stack for other PAM modules to use."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:73
+msgid "<option>use_first_pass</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:76
+msgid ""
+"The argument use_first_pass forces the module to use a previous stacked "
+"modules password and will never prompt the user - if no password is "
+"available or the password is not appropriate, the user will be denied access."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:84
+msgid "<option>use_authtok</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:87
+msgid ""
+"When password changing enforce the module to set the new password to the one "
+"provided by a previously stacked password module."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:94
+msgid "<option>retry=N</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:97
+msgid ""
+"If specified the user is asked another N times for a password if "
+"authentication fails. Default is 0."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:99
+msgid ""
+"Please note that this option might not work as expected if the application "
+"calling PAM handles the user dialog on its own. A typical example is "
+"<command>sshd</command> with <option>PasswordAuthentication</option>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: pam_sss.8.xml:110
+msgid "MODULE TYPES PROVIDED"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: pam_sss.8.xml:111
+msgid ""
+"All module types (<option>account</option>, <option>auth</option>, "
+"<option>password</option> and <option>session</option>) are provided."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: pam_sss.8.xml:117
+msgid "FILES"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: pam_sss.8.xml:118
+msgid ""
+"If a password reset by root fails, because the corresponding SSSD provider "
+"does not support password resets, an individual message can be displayed. "
+"This message can e.g. contain instructions about how to reset a password."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: pam_sss.8.xml:123
+msgid ""
+"The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
+"filename> where LOC stands for a locale string returned by <citerefentry> "
+"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </"
+"citerefentry>. If there is no matching file the content of "
+"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be "
+"the owner of the files and only root may have read and write permissions "
+"while all other users must have only read permisssions."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: pam_sss.8.xml:133
+msgid ""
+"These files are searched in the directory <filename>/etc/sssd/customize/"
+"DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
+"displayed."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: pam_sss.8.xml:141
+msgid ""
+"<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>8</"
+"manvolnum> </citerefentry>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15
+msgid "sssd_krb5_locator_plugin"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd_krb5_locator_plugin.8.xml:22
+msgid ""
+"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is "
+"used by the Kerberos provider of <citerefentry> <refentrytitle>sssd</"
+"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> to tell the Kerberos "
+"libraries what Realm and which KDC to use.  Typically this is done in "
+"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> which is always read by the Kerberos libraries. "
+"To simplyfy the configuration the Realm and the KDC can be defined in "
+"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> as described in <citerefentry> "
+"<refentrytitle>sssd-krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </"
+"citerefentry>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd_krb5_locator_plugin.8.xml:48
+msgid ""
+"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
+"</citerefentry> puts the Realm and the name or IP address of the KDC into "
+"the environment variables SSSD_KRB5_REALM and SSSD_KRB5_KDC respectively.  "
+"When <command>sssd_krb5_locator_plugin</command> is called by the kerberos "
+"libraries it reads and evaluates these variable and returns them to the "
+"libraries."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd_krb5_locator_plugin.8.xml:63
+msgid ""
+"Not all Kerberos implementations support the use of plugins. If "
+"<command>sssd_krb5_locator_plugin</command> is not available on your system "
+"you have to edit /etc/krb5.conf to reflect your Kerberos setup."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd_krb5_locator_plugin.8.xml:69
+msgid ""
+"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value "
+"debug messages will be sent to stderr."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd_krb5_locator_plugin.8.xml:77
+msgid ""
+"<citerefentry> <refentrytitle>sssd-krb5</refentrytitle><manvolnum>5</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd.conf</"
+"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </citerefentry>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd-simple.5.xml:10 sssd-simple.5.xml:16
+msgid "sssd-simple"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sssd-simple.5.xml:17
+msgid "the configuration file for SSSD's 'simple' access-control provider"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-simple.5.xml:24
+msgid ""
+"This manual page describes the configuration of the simple access-control "
+"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> "
+"<manvolnum>8</manvolnum> </citerefentry>.  For a detailed syntax reference, "
+"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> "
+"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
+"citerefentry> manual page."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-simple.5.xml:38
+msgid ""
+"The simple access provider grants or denies access based on an access or "
+"deny list of user or group names. The following rules apply:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
+#: sssd-simple.5.xml:43
+msgid "If all lists are empty, access is granted"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
+#: sssd-simple.5.xml:47
+msgid ""
+"If any list is provided, the order of evaluation is allow,deny. This means "
+"that any matching deny rule will supersede any matched allow rule."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
+#: sssd-simple.5.xml:54
+msgid ""
+"If either or both \"allow\" lists are provided, all users are denied unless "
+"they appear in the list."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
+#: sssd-simple.5.xml:60
+msgid ""
+"If only \"deny\" lists are provided, all users are granted access unless "
+"they appear in the list."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-simple.5.xml:78
+msgid "simple_allow_users (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-simple.5.xml:81
+msgid "Comma separated list of users who are allowed to log in."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-simple.5.xml:88
+msgid "simple_deny_users (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-simple.5.xml:91
+msgid "Comma separated list of users who are explicitly denied access."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-simple.5.xml:97
+msgid "simple_allow_groups (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-simple.5.xml:100
+msgid ""
+"Comma separated list of groups that are allowed to log in. This applies only "
+"to groups within this SSSD domain. Local groups are not evaluated."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-simple.5.xml:108
+msgid "simple_deny_groups (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-simple.5.xml:111
+msgid ""
+"Comma separated list of groups that are explicitly denied access. This "
+"applies only to groups within this SSSD domain. Local groups are not "
+"evaluated."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-simple.5.xml:70 sssd-ipa.5.xml:62
+msgid ""
+"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> "
+"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
+"citerefentry> manual page for details on the configuration of an SSSD "
+"domain.  <placeholder type=\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-simple.5.xml:120
+msgid ""
+"Please note that it is an configuration error if both, simple_allow_users "
+"and simple_deny_users, are defined."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-simple.5.xml:128
+msgid ""
+"The following example assumes that SSSD is correctly configured and example."
+"com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
+"This examples shows only the simple access provider-specific options."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-simple.5.xml:135
+#, no-wrap
+msgid ""
+"    [domain/example.com]\n"
+"    access_provider = simple\n"
+"    simple_allow_users = user1, user2\n"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-simple.5.xml:145
+msgid ""
+"<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16
+msgid "sssd-ipa"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ipa.5.xml:23
+msgid ""
+"This manual page describes the configuration of the IPA provider for "
+"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
+"</citerefentry>.  For a detailed syntax reference, refer to the <quote>FILE "
+"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ipa.5.xml:36
+msgid ""
+"The IPA provider is a back end used to connect to an IPA server.  (Refer to "
+"the freeipa.org web site for information about IPA servers.)  This provider "
+"requires that the machine be joined to the IPA domain; configuration is "
+"almost entirely self-discovered and obtained directly from the server."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ipa.5.xml:43
+msgid ""
+"The IPA provider accepts the same options used by the <citerefentry> "
+"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+"citerefentry> identity provider and the <citerefentry> <refentrytitle>sssd-"
+"krb5</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> authentication "
+"provider.  However, it is neither necessary nor recommended to set these "
+"options.  IPA provider can also be used as an access and chpass provider. As "
+"an access provider it uses HBAC (host-based access control) rules. Please "
+"refer to freeipa.org for more information about HBAC. No configuration of "
+"access provider is required on the client side."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:69
+msgid "ipa_domain (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:72
+msgid ""
+"Specifies the name of the IPA domain.  This is optional. If not provided, "
+"the configuration domain name is used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:80
+msgid "ipa_server (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:83
+msgid ""
+"The comma-separated list of IP addresses or hostnames of the IPA servers to "
+"which SSSD should connect in the order of preference. For more information "
+"on failover and server redundancy, see the <quote>FAILOVER</quote> section.  "
+"This is optional if autodiscovery is enabled.  For more information on "
+"service discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:96
+msgid "ipa_hostname (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:99
+msgid ""
+"Optional. May be set on machines where the hostname(5) does not reflect the "
+"fully qualified name used in the IPA domain to identify this host."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:107
+msgid "ipa_dyndns_update (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:110
+msgid ""
+"Optional. This option tells SSSD to automatically update the DNS server "
+"built into FreeIPA v2 with the IP address of this client."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:121
+msgid "ipa_dyndns_iface (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:124
+msgid ""
+"Optional. Applicable only when ipa_dyndns_update is true. Choose the "
+"interface whose IP address should be used for dynamic DNS updates."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:129
+msgid "Default: Use the IP address of the IPA LDAP connection"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:135
+msgid "ipa_hbac_search_base (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:138
+msgid "Optional. Use the given string as search base for HBAC related objects."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:142
+msgid "Default: Use base DN"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:148 sssd-krb5.5.xml:229
+msgid "krb5_validate (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:151 sssd-krb5.5.xml:232
+msgid ""
+"Verify with the help of krb5_keytab that the TGT obtained has not been "
+"spoofed."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:158
+msgid ""
+"Note that this default differs from the traditional Kerberos provider back "
+"end."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:168
+msgid ""
+"The name of the Kerberos realm. This is optional and defaults to the value "
+"of <quote>ipa_domain</quote>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:172
+msgid ""
+"The name of the Kerberos realm has a special meaning in IPA - it is "
+"converted into the base DN to use for performing LDAP operations."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:179
+msgid "ipa_hbac_refresh (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:182
+msgid ""
+"The amount of time between lookups of the HBAC rules against the IPA server. "
+"This will reduce the latency and load on the IPA server if there are many "
+"access-control requests made in a short period."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:189
+msgid "Default: 5 (seconds)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:194
+msgid "ipa_hbac_treat_deny_as (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:197
+msgid ""
+"This option specifies how to treat the deprecated DENY-type HBAC rules. As "
+"of FreeIPA v2.1, DENY rules are no longer supported on the server. All users "
+"of FreeIPA will need to migrate their rules to use only the ALLOW rules. The "
+"client will support two modes of operation during this transition period:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:206
+msgid ""
+"<emphasis>DENY_ALL</emphasis>: If any HBAC DENY rules are detected, all "
+"users will be denied access."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:211
+msgid ""
+"<emphasis>IGNORE</emphasis>: SSSD will ignore any DENY rules. Be very "
+"careful with this option, as it may result in opening unintended access."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:216
+msgid "Default: DENY_ALL"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ipa.5.xml:232
+msgid ""
+"The following example assumes that SSSD is correctly configured and example."
+"com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
+"This examples shows only the ipa provider-specific options."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-ipa.5.xml:239
+#, no-wrap
+msgid ""
+"    [domain/example.com]\n"
+"    id_provider = ipa\n"
+"    ipa_server = ipaserver.example.com\n"
+"    ipa_hostname = myhost.example.com\n"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ipa.5.xml:250
+msgid ""
+"<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
+"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sssd-krb5</refentrytitle><manvolnum>5</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sssd</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd.8.xml:10 sssd.8.xml:15
+msgid "sssd"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sssd.8.xml:16
+msgid "System Security Services Daemon"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: sssd.8.xml:21
+msgid ""
+"<command>sssd</command> <arg choice='opt'> <replaceable>options</"
+"replaceable> </arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.8.xml:31
+msgid ""
+"<command>SSSD</command> provides a set of daemons to manage access to remote "
+"directories and authentication mechanisms. It provides an NSS and PAM "
+"interface toward the system and a pluggable backend system to connect to "
+"multiple different account sources as well as D-Bus interface. It is also "
+"the basis to provide client auditing and policy services for projects like "
+"FreeIPA. It provides a more robust database to store local users as well as "
+"extended user data."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:46
+msgid ""
+"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</"
+"replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:51
+msgid ""
+"Debug level to run the daemon with. 0 is the default as well as the lowest "
+"allowed value, 10 is the most verbose mode. This setting overrides the "
+"settings from config file. This parameter implies <option>-i</option>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:70
+msgid "<option>-f</option>,<option>--debug-to-files</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:74
+msgid ""
+"Send the debug output to files instead of stderr. By default, the log files "
+"are stored in <filename>/var/log/sssd</filename> and there are separate log "
+"files for every SSSD service and domain."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:82
+msgid "<option>-D</option>,<option>--daemon</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:86
+msgid "Become a daemon after starting up."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:92
+msgid "<option>-i</option>,<option>--interactive</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:96
+msgid "Run in the foreground, don't become a daemon."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:102
+msgid "<option>-c</option>,<option>--config</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:106
+msgid ""
+"Specify a non-default config file. The default is <filename>/etc/sssd/sssd."
+"conf</filename>. For reference on the config file syntax and options, "
+"consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> manual page."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd.8.xml:122
+msgid "Signals"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:125
+msgid "SIGTERM/SIGINT"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:128
+msgid ""
+"Informs the SSSD to gracefully terminate all of its child processes and then "
+"shut down the monitor."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:134
+msgid "SIGHUP"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:137
+msgid ""
+"Tells the SSSD to stop writing to its current debug file descriptors and to "
+"close and reopen them. This is meant to facilitate log rolling with programs "
+"like logrotate."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:145
+msgid "SIGUSR1"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:148
+msgid ""
+"Tells the SSSD to simulate offline operation for one minute. This is mostly "
+"useful for testing purposes."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:154
+msgid "SIGUSR2"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:157
+msgid ""
+"Tells the SSSD to go online immediately. This is mostly useful for testing "
+"purposes."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.8.xml:168
+msgid ""
+"<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupadd</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_groupdel</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_groupmod</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_userdel</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15
+msgid "sss_obfuscate"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sss_obfuscate.8.xml:16
+msgid "obfuscate a clear text password"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: sss_obfuscate.8.xml:21
+msgid ""
+"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</"
+"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</"
+"replaceable></arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_obfuscate.8.xml:32
+msgid ""
+"<command>sss_obfuscate</command> converts a given password into human-"
+"unreadable format and places it into appropriate domain section of the SSSD "
+"config file."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_obfuscate.8.xml:37
+msgid ""
+"The cleartext password is read from standard input or entered "
+"interactively.  The obfuscated password is put into "
+"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the "
+"<quote>ldap_default_authtok_type</quote> parameter is set to "
+"<quote>obfuscated_password</quote>. Refer to <citerefentry> "
+"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+"citerefentry> for more details on these parameters."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_obfuscate.8.xml:49
+msgid ""
+"Please note that obfuscating the password provides <emphasis>no real "
+"security benefit</emphasis> as it is still possible for an attacker to "
+"reverse-engineer the password back. Using better authentication mechanisms "
+"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> "
+"advised."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_obfuscate.8.xml:63
+msgid "<option>-s</option>,<option>--stdin</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_obfuscate.8.xml:67
+msgid "The password to obfuscate will be read from standard input."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_obfuscate.8.xml:74
+msgid ""
+"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</"
+"replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_obfuscate.8.xml:79
+msgid ""
+"The SSSD domain to use the password in. The default name is <quote>default</"
+"quote>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_obfuscate.8.xml:86
+msgid ""
+"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_obfuscate.8.xml:91
+msgid "Read the config file specified by the positional parameter."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_obfuscate.8.xml:95
+msgid "Default: <filename>/etc/sssd/sssd.conf</filename>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_obfuscate.8.xml:105
+msgid ""
+"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sss_useradd.8.xml:10 sss_useradd.8.xml:15
+msgid "sss_useradd"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sss_useradd.8.xml:16
+msgid "create a new user"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: sss_useradd.8.xml:21
+msgid ""
+"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</"
+"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></"
+"arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_useradd.8.xml:32
+msgid ""
+"<command>sss_useradd</command> creates a new user account using the values "
+"specified on the command line plus the default values from the system."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_useradd.8.xml:43
+msgid ""
+"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_useradd.8.xml:48
+msgid ""
+"Set the UID of the user to the value of <replaceable>UID</replaceable>.  If "
+"not given, it is chosen automatically."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_useradd.8.xml:55 sss_usermod.8.xml:43
+msgid ""
+"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</"
+"replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_useradd.8.xml:60 sss_usermod.8.xml:48
+msgid ""
+"Any text string describing the user. Often used as the field for the user's "
+"full name."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_useradd.8.xml:67 sss_usermod.8.xml:55
+msgid ""
+"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</"
+"replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_useradd.8.xml:72
+msgid ""
+"The home directory of the user account.  The default is to append the "
+"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use "
+"that as the home directory.  The base that is prepended before "
+"<replaceable>LOGIN</replaceable> is tunable with <quote>user_defaults/"
+"baseDirectory</quote> setting in sssd.conf."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_useradd.8.xml:82 sss_usermod.8.xml:66
+msgid ""
+"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_useradd.8.xml:87
+msgid ""
+"The user's login shell. The default is currently <filename>/bin/bash</"
+"filename>.  The default can be changed with <quote>user_defaults/"
+"defaultShell</quote> setting in sssd.conf."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_useradd.8.xml:96
+msgid ""
+"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</"
+"replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_useradd.8.xml:101
+msgid "A list of existing groups this user is also a member of."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_useradd.8.xml:107
+msgid "<option>-m</option>,<option>--create-home</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_useradd.8.xml:111
+msgid ""
+"Create the user's home directory if it does not exist. The files and "
+"directories contained in the skeleton directory (which can be defined with "
+"the -k option or in the config file) will be copied to the home directory."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_useradd.8.xml:121
+msgid "<option>-M</option>,<option>--no-create-home</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_useradd.8.xml:125
+msgid ""
+"Do not create the user's home directory. Overrides configuration settings."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_useradd.8.xml:132
+msgid ""
+"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</"
+"replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_useradd.8.xml:137
+msgid ""
+"The skeleton directory, which contains files and directories to be copied in "
+"the user's home directory, when the home directory is created by "
+"<command>sss_useradd</command>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_useradd.8.xml:143
+msgid ""
+"This option is only valid if the <option>-m</option> (or <option>--create-"
+"home</option>) option is specified, or creation of home directories is set "
+"to TRUE in the configuration."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_useradd.8.xml:152 sss_usermod.8.xml:124
+msgid ""
+"<option>-Z</option>,<option>--selinux-user</option> "
+"<replaceable>SELINUX_USER</replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_useradd.8.xml:157
+msgid ""
+"The SELinux user for the user's login. If not specified, the system default "
+"will be used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_useradd.8.xml:169
+msgid ""
+"<citerefentry> <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupdel</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_groupmod</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_usermod</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16
+msgid "sssd-krb5"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-krb5.5.xml:23
+msgid ""
+"This manual page describes the configuration of the Kerberos 5 "
+"authentication backend for <citerefentry> <refentrytitle>sssd</"
+"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>.  For a detailed "
+"syntax reference, please refer to the <quote>FILE FORMAT</quote> section of "
+"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> manual page"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-krb5.5.xml:36
+msgid ""
+"The Kerberos 5 authentication backend contains auth and chpass providers. It "
+"must be paired with identity provider in order to function properly (for "
+"example, id_provider = ldap). Some information required by the Kerberos 5 "
+"authentication backend must be provided by the identity provider, such as "
+"the user's Kerberos Principal Name (UPN). The configuration of the identity "
+"provider should have an entry to specify the UPN. Please refer to the man "
+"page for the applicable identity provider for details on how to configure "
+"this."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-krb5.5.xml:47
+msgid ""
+"This backend also provides access control based on the .k5login file in the "
+"home directory of the user. See <citerefentry> <refentrytitle>.k5login</"
+"refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. "
+"Please note that an empty .k5login file will deny all access to this user. "
+"To activate this feature use 'access_provider = krb5' in your sssd "
+"configuration."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-krb5.5.xml:55
+msgid ""
+"In the case where the UPN is not available in the identity backend "
+"<command>sssd</command> will construct a UPN using the format "
+"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:106
+msgid ""
+"The name of the Kerberos realm. This option is required and must be "
+"specified."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:113
+msgid "krb5_kpasswd (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:116
+msgid ""
+"If the change password service is not running on the KDC alternative servers "
+"can be defined here. An optional port number (preceded by a colon) may be "
+"appended to the addresses or hostnames."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:122
+msgid ""
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section.  Please note that even if there are no more "
+"kpasswd servers to try the back end is not switch to offline if "
+"authentication against the KDC is still possible."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:129
+msgid "Default: Use the KDC"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:135
+msgid "krb5_ccachedir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:138
+msgid ""
+"Directory to store credential caches. All the substitution sequences of "
+"krb5_ccname_template can be used here, too, except %d and %P. If the "
+"directory does not exist it will be created. If %u, %U, %p or %h are used a "
+"private directory belonging to the user is created. Otherwise a public "
+"directory with restricted deletion flag (aka sticky bit, see <citerefentry> "
+"<refentrytitle>chmod</refentrytitle> <manvolnum>1</manvolnum> </"
+"citerefentry> for details) is created."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:151
+msgid "Default: /tmp"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:157
+msgid "krb5_ccname_template (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:171
+msgid "login UID"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:174
+msgid "%p"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:175
+msgid "principal name"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:179
+msgid "%r"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:180
+msgid "realm name"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:183
+msgid "%h"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:184
+msgid "home directory"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:189
+msgid "value of krb5ccache_dir"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:194
+msgid "%P"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:195
+msgid "the process ID of the sssd client"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:160
+msgid ""
+"Location of the user's credential cache. Currently only file based "
+"credential caches are supported. In the template the following sequences are "
+"substituted: <placeholder type=\"variablelist\" id=\"0\"/> If the template "
+"ends with 'XXXXXX' mkstemp(3) is used to create a unique filename in a safe "
+"way."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:209
+msgid "Default: FILE:%d/krb5cc_%U_XXXXXX"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:215
+msgid "krb5_auth_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:218
+msgid ""
+"Timeout in seconds after an online authentication or change password request "
+"is aborted. If possible the authentication request is continued offline."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:241
+msgid "krb5_keytab (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:244
+msgid ""
+"The location of the keytab to use when validating credentials obtained from "
+"KDCs."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:248
+msgid "Default: /etc/krb5.keytab"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:254
+msgid "krb5_store_password_if_offline (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:257
+msgid ""
+"Store the password of the user if the provider is offline and use it to "
+"request a TGT when the provider gets online again."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:262
+msgid ""
+"Please note that this feature currently only available on a Linux platform. "
+"Passwords stored in this way are kept in plaintext in the kernel keyring and "
+"are potentially accessible by the root user (with difficulty)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:275
+msgid "krb5_renewable_lifetime (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:278
+msgid ""
+"Request a renewable ticket with a total lifetime given by an integer "
+"immediately followed by one of the following delimiters:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
+msgid "<emphasis>s</emphasis> seconds"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
+msgid "<emphasis>m</emphasis> minutes"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
+msgid "<emphasis>h</emphasis> hours"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
+msgid "<emphasis>d</emphasis> days."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:295 sssd-krb5.5.xml:331
+msgid "If there is no delimiter <emphasis>s</emphasis> is assumed."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:299
+msgid ""
+"Please note that it is not possible to mix units.  If you want to set the "
+"renewable lifetime to one and a half hours please use '90m' instead of "
+"'1h30m'."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:305
+msgid "Default: not set, i.e. the TGT is not renewable"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:311
+msgid "krb5_lifetime (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:314
+msgid ""
+"Request ticket with a with a lifetime given by an integer immediately "
+"followed by one of the following delimiters:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:335
+msgid ""
+"Please note that it is not possible to mix units.  If you want to set the "
+"lifetime to one and a half hours please use '90m' instead of '1h30m'."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:340
+msgid ""
+"Default: not set, i.e. the default ticket lifetime configured on the KDC."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:347
+msgid "krb5_renew_interval (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:350
+msgid ""
+"The time in seconds between two checks if the TGT should be renewed. TGTs "
+"are renewed if about half of their lifetime is exceeded."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:355
+msgid "If this option is not set or 0 the automatic renewal is disabled."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:365
+msgid "krb5_use_fast (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:368
+msgid ""
+"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
+"authentication. The following options are supported:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:373
+msgid ""
+"<emphasis>never</emphasis> use FAST, this is equivalent to not set this "
+"option at all."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:377
+msgid ""
+"<emphasis>try</emphasis> to use FAST, if the server does not support fast "
+"continue without."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:381
+msgid ""
+"<emphasis>demand</emphasis> to use FAST, fail if the server does not require "
+"fast."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:385
+msgid "Default: not set, i.e. FAST is not used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:388
+msgid "Please note that a keytab is required to use fast."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:391
+msgid ""
+"Please note also that sssd supports fast only with MIT Kerberos version 1.8 "
+"and above. If sssd used used with an older version using this option is a "
+"configuration error."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-krb5.5.xml:65
+msgid ""
+"If the auth-module krb5 is used in a SSSD domain, the following options must "
+"be used. See the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> manual page, section <quote>DOMAIN "
+"SECTIONS</quote> for details on the configuration of a SSSD domain.  "
+"<placeholder type=\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-krb5.5.xml:410
+msgid ""
+"The following example assumes that SSSD is correctly configured and FOO is "
+"one of the domains in the <replaceable>[sssd]</replaceable> section. This "
+"example shows only configuration of Kerberos authentication, it does not "
+"include any identity provider."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-krb5.5.xml:418
+#, no-wrap
+msgid ""
+"    [domain/FOO]\n"
+"    auth_provider = krb5\n"
+"    krb5_server = 192.168.1.1\n"
+"    krb5_realm = EXAMPLE.COM\n"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-krb5.5.xml:429
+msgid ""
+"<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
+"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </citerefentry>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15
+msgid "sss_groupadd"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sss_groupadd.8.xml:16
+msgid "create a new group"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: sss_groupadd.8.xml:21
+msgid ""
+"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</"
+"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></"
+"arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_groupadd.8.xml:32
+msgid ""
+"<command>sss_groupadd</command> creates a new group. These groups are "
+"compatible with POSIX groups, with the additional feature that they can "
+"contain other groups as members."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_groupadd.8.xml:43
+msgid ""
+"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_groupadd.8.xml:48
+msgid ""
+"Set the GID of the group to the value of <replaceable>GID</replaceable>.  If "
+"not given, it is chosen automatically."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_groupadd.8.xml:60
+msgid ""
+"<citerefentry> <refentrytitle>sss_groupdel</refentrytitle><manvolnum>8</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupmod</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_useradd</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_usermod</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sss_userdel.8.xml:10 sss_userdel.8.xml:15
+msgid "sss_userdel"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sss_userdel.8.xml:16
+msgid "delete a user account"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: sss_userdel.8.xml:21
+msgid ""
+"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</"
+"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></"
+"arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_userdel.8.xml:32
+msgid ""
+"<command>sss_userdel</command> deletes a user identified by login name "
+"<replaceable>LOGIN</replaceable> from the system."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_userdel.8.xml:44
+msgid "<option>-r</option>,<option>--remove</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_userdel.8.xml:48
+msgid ""
+"Files in the user's home directory will be removed along with the home "
+"directory itself and the user's mail spool. Overrides the configuration."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_userdel.8.xml:56
+msgid "<option>-R</option>,<option>--no-remove</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_userdel.8.xml:60
+msgid ""
+"Files in the user's home directory will NOT be removed along with the home "
+"directory itself and the user's mail spool. Overrides the configuration."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_userdel.8.xml:68
+msgid "<option>-f</option>,<option>--force</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_userdel.8.xml:72
+msgid ""
+"This option forces <command>sss_userdel</command> to remove the user's home "
+"directory and mail spool, even if they are not owned by the specified user."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_userdel.8.xml:80
+msgid "<option>-k</option>,<option>--kick</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_userdel.8.xml:84
+msgid "Before actually deleting the user, terminate all his processes."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_userdel.8.xml:95
+msgid ""
+"<citerefentry> <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupdel</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_groupmod</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_groupshow</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_usermod</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15
+msgid "sss_groupdel"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sss_groupdel.8.xml:16
+msgid "delete a group"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: sss_groupdel.8.xml:21
+msgid ""
+"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</"
+"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></"
+"arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_groupdel.8.xml:32
+msgid ""
+"<command>sss_groupdel</command> deletes a group identified by its name "
+"<replaceable>GROUP</replaceable> from the system."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_groupdel.8.xml:48
+msgid ""
+"<citerefentry> <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupmod</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_useradd</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_usermod</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15
+msgid "sss_groupshow"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sss_groupshow.8.xml:16
+msgid "print properties of a group"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: sss_groupshow.8.xml:21
+msgid ""
+"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</"
+"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></"
+"arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_groupshow.8.xml:32
+msgid ""
+"<command>sss_groupshow</command> displays information about a group "
+"identified by its name <replaceable>GROUP</replaceable>. The information "
+"includes the group ID number, members of the group and the parent group."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_groupshow.8.xml:43
+msgid "<option>-R</option>,<option>--recursive</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_groupshow.8.xml:47
+msgid ""
+"Also print indirect group members in a tree-like hierarchy.  Note that this "
+"also affects printing parent groups - without <option>R</option>, only the "
+"direct parent will be printed."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_groupshow.8.xml:60
+msgid ""
+"<citerefentry> <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupmod</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_userdel</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sss_usermod.8.xml:10 sss_usermod.8.xml:15
+msgid "sss_usermod"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sss_usermod.8.xml:16
+msgid "modify a user account"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: sss_usermod.8.xml:21
+msgid ""
+"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</"
+"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></"
+"arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_usermod.8.xml:32
+msgid ""
+"<command>sss_usermod</command> modifies the account specified by "
+"<replaceable>LOGIN</replaceable> to reflect the changes that are specified "
+"on the command line."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_usermod.8.xml:60
+msgid "The home directory of the user account."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_usermod.8.xml:71
+msgid "The user's login shell."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_usermod.8.xml:82
+msgid ""
+"Append this user to groups specified by the <replaceable>GROUPS</"
+"replaceable> parameter.  The <replaceable>GROUPS</replaceable> parameter is "
+"a comma separated list of group names."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_usermod.8.xml:96
+msgid ""
+"Remove this user from groups specified by the <replaceable>GROUPS</"
+"replaceable> parameter."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_usermod.8.xml:103
+msgid "<option>-l</option>,<option>--lock</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_usermod.8.xml:107
+msgid "Lock the user account. The user won't be able to log in."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_usermod.8.xml:114
+msgid "<option>-u</option>,<option>--unlock</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_usermod.8.xml:118
+msgid "Unlock the user account."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_usermod.8.xml:129
+msgid "The SELinux user for the user's login."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_usermod.8.xml:140
+msgid ""
+"<citerefentry> <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupdel</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_groupmod</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_groupshow</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_userdel</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>."
+msgstr ""
+
+#. type: Content of: <refsect1><title>
+#: include/service_discovery.xml:2
+msgid "SERVICE DISCOVERY"
+msgstr ""
+
+#. type: Content of: <refsect1><para>
+#: include/service_discovery.xml:4
+msgid ""
+"The service discovery feature allows back ends to automatically find the "
+"appropriate servers to connect to using a special DNS query."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/service_discovery.xml:9
+msgid "Configuration"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/service_discovery.xml:11
+msgid ""
+"If no servers are specified, the back end automatically uses service "
+"discovery to try to find a server. Optionally, the user may choose to use "
+"both fixed server addresses and service discovery by inserting a special "
+"keyword, <quote>_srv_</quote>, in the list of servers. The order of "
+"preference is maintained. This feature is useful if, for example, the user "
+"prefers to use service discovery whenever possible, and fall back to a "
+"specific server when no servers can be discovered using DNS."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/service_discovery.xml:23
+msgid "The domain name"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/service_discovery.xml:25
+msgid ""
+"Please refer to the <quote>dns_discovery_domain</quote> parameter in the "
+"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> manual page for more details."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/service_discovery.xml:35
+msgid "The protocol"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/service_discovery.xml:37
+msgid ""
+"The queries usually specify _tcp as the protocol. Exceptions are documented "
+"in respective option description."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/service_discovery.xml:42
+msgid "See Also"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/service_discovery.xml:44
+msgid ""
+"For more information on the service discovery mechanism, refer to RFC 2782."
+msgstr ""
+
+#. type: Content of: outside any tag (error?)
+#: include/upstream.xml:1
+msgid "<placeholder type=\"refentryinfo\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <refsect1><title>
+#: include/failover.xml:2
+msgid "FAILOVER"
+msgstr ""
+
+#. type: Content of: <refsect1><para>
+#: include/failover.xml:4
+msgid ""
+"The failover feature allows back ends to automatically switch to a different "
+"server if the primary server fails."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/failover.xml:8
+msgid "Failover Syntax"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/failover.xml:10
+msgid ""
+"The list of servers is given as a comma-separated list; any number of spaces "
+"is allowed around the comma. The servers are listed in order of preference. "
+"The list can contain any number of servers."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/failover.xml:17
+msgid "The Failover Mechanism"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/failover.xml:19
+msgid ""
+"The failover mechanism distinguishes between a machine and a service. The "
+"back end first tries to resolve the hostname of a given machine; if this "
+"resolution attempt fails, the machine is considered offline. No further "
+"attempts are made to connect to this machine for any other service. If the "
+"resolution attempt succeeds, the back end tries to connect to a service on "
+"this machine. If the service connection attempt fails, then only this "
+"particular service is considered offline and the back end automatically "
+"switches over to the next service.  The machine is still considered online "
+"and might still be tried for another service."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/failover.xml:32
+msgid ""
+"Further connection attempts are made to machines or services marked as "
+"offline after a specified period of time; this is currently hard coded to 30 "
+"seconds."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/failover.xml:37
+msgid ""
+"If there are no more machines to try, the back end as a whole switches to "
+"offline mode, and then attempts to reconnect every 30 seconds."
+msgstr ""
+
+#. type: Content of: <varlistentry><term>
+#: include/param_help.xml:3
+msgid "<option>-h</option>,<option>--help</option>"
+msgstr ""
+
+#. type: Content of: <varlistentry><listitem><para>
+#: include/param_help.xml:7
+msgid "Display help message and exit."
+msgstr ""
diff --git a/src/man/po/sr.po b/src/man/po/sr.po
new file mode 100644
index 00000000..ad2a2dbd
--- /dev/null
+++ b/src/man/po/sr.po
@@ -0,0 +1,4992 @@
+# SOME DESCRIPTIVE TITLE
+# Copyright (C) YEAR Red Hat
+# This file is distributed under the same license as the sssd-docs package.
+#
+# Translators:
+msgid ""
+msgstr ""
+"Project-Id-Version: SSSD\n"
+"Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
+"POT-Creation-Date: 2011-10-18 13:34-0300\n"
+"PO-Revision-Date: 2010-12-23 15:35+0000\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: Serbian <trans-sr@lists.fedoraproject.org>\n"
+"Language: sr\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n"
+"%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2)\n"
+
+#. type: Content of: <reference><title>
+#: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5
+#: sssd_krb5_locator_plugin.8.xml:5 sssd-simple.5.xml:5 sssd-ipa.5.xml:5
+#: sssd.8.xml:5 sss_obfuscate.8.xml:5 sss_useradd.8.xml:5 sssd-krb5.5.xml:5
+#: sss_groupadd.8.xml:5 sss_userdel.8.xml:5 sss_groupdel.8.xml:5
+#: sss_groupshow.8.xml:5 sss_usermod.8.xml:5
+msgid "SSSD Manual pages"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sss_groupmod.8.xml:10 sss_groupmod.8.xml:15
+msgid "sss_groupmod"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refmeta><manvolnum>
+#: sss_groupmod.8.xml:11 pam_sss.8.xml:14 sssd_krb5_locator_plugin.8.xml:11
+#: sssd.8.xml:11 sss_obfuscate.8.xml:11 sss_useradd.8.xml:11
+#: sss_groupadd.8.xml:11 sss_userdel.8.xml:11 sss_groupdel.8.xml:11
+#: sss_groupshow.8.xml:11 sss_usermod.8.xml:11
+msgid "8"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sss_groupmod.8.xml:16
+msgid "modify a group"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: sss_groupmod.8.xml:21
+msgid ""
+"<command>sss_groupmod</command> <arg choice='opt'> <replaceable>options</"
+"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></"
+"arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:44
+#: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21
+#: sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_useradd.8.xml:30
+#: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30
+#: sss_groupdel.8.xml:30 sss_groupshow.8.xml:30 sss_usermod.8.xml:30
+msgid "DESCRIPTION"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_groupmod.8.xml:32
+msgid ""
+"<command>sss_groupmod</command> modifies the group to reflect the changes "
+"that are specified on the command line."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sss_groupmod.8.xml:39 pam_sss.8.xml:51 sssd.8.xml:42 sss_obfuscate.8.xml:58
+#: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
+#: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
+msgid "OPTIONS"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_groupmod.8.xml:43 sss_usermod.8.xml:77
+msgid ""
+"<option>-a</option>,<option>--append-group</option> <replaceable>GROUPS</"
+"replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_groupmod.8.xml:48
+msgid ""
+"Append this group to groups specified by the <replaceable>GROUPS</"
+"replaceable> parameter.  The <replaceable>GROUPS</replaceable> parameter is "
+"a comma separated list of group names."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_groupmod.8.xml:57 sss_usermod.8.xml:91
+msgid ""
+"<option>-r</option>,<option>--remove-group</option> <replaceable>GROUPS</"
+"replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_groupmod.8.xml:62
+msgid ""
+"Remove this group from groups specified by the <replaceable>GROUPS</"
+"replaceable> parameter."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1130 sssd-ldap.5.xml:1432
+#: pam_sss.8.xml:139 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
+#: sssd-ipa.5.xml:248 sssd.8.xml:166 sss_obfuscate.8.xml:103
+#: sss_useradd.8.xml:167 sssd-krb5.5.xml:427 sss_groupadd.8.xml:58
+#: sss_userdel.8.xml:93 sss_groupdel.8.xml:46 sss_groupshow.8.xml:58
+#: sss_usermod.8.xml:138
+msgid "SEE ALSO"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_groupmod.8.xml:74
+msgid ""
+"<citerefentry> <refentrytitle>sss_groupdel</refentrytitle><manvolnum>8</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupadd</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_useradd</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_usermod</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd.conf.5.xml:10 sssd.conf.5.xml:16
+msgid "sssd.conf"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refmeta><manvolnum>
+#: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11
+#: sssd-ipa.5.xml:11 sssd-krb5.5.xml:11
+msgid "5"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refmeta><refmiscinfo>
+#: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12
+#: sssd-ipa.5.xml:12 sssd-krb5.5.xml:12
+msgid "File Formats and Conventions"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sssd.conf.5.xml:17 sssd-ldap.5.xml:17 sssd_krb5_locator_plugin.8.xml:16
+#: sssd-ipa.5.xml:17 sssd-krb5.5.xml:17
+msgid "the configuration file for SSSD"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd.conf.5.xml:21
+msgid "FILE FORMAT"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd.conf.5.xml:29
+#, no-wrap
+msgid ""
+"                <replaceable>[section]</replaceable>\n"
+"                <replaceable>key</replaceable> = <replaceable>value</replaceable>\n"
+"                <replaceable>key2</replaceable> = <replaceable>value2,value3</replaceable>\n"
+"            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:24
+msgid ""
+"The file has an ini-style syntax and consists of sections and parameters. A "
+"section begins with the name of the section in square brackets and continues "
+"until the next section begins. An example of section with single and multi-"
+"valued parameters: <placeholder type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:36
+msgid ""
+"The data types used are string (no quotes needed), integer and bool (with "
+"values of <quote>TRUE/FALSE</quote>)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:41
+msgid ""
+"A line comment starts with a hash sign (<quote>#</quote>) or a semicolon "
+"(<quote>;</quote>)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:46
+msgid ""
+"All sections can have an optional <replaceable>description</replaceable> "
+"parameter. Its function is only as a label for the section."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:52
+msgid ""
+"<filename>sssd.conf</filename> must be a regular file, owned by root and "
+"only root may read from or write to the file."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd.conf.5.xml:58
+msgid "SPECIAL SECTIONS"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><title>
+#: sssd.conf.5.xml:61
+msgid "The [sssd] section"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
+#: sssd.conf.5.xml:70 sssd.conf.5.xml:976
+msgid "Section parameters"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:72
+msgid "config_file_version (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:75
+msgid ""
+"Indicates what is the syntax of the config file. SSSD 0.6.0 and later use "
+"version 2."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:81
+msgid "services"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:84
+msgid ""
+"Comma separated list of services that are started when sssd itself starts."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:88
+msgid "Supported services: nss, pam"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:93 sssd.conf.5.xml:254
+msgid "reconnection_retries (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:96 sssd.conf.5.xml:257
+msgid ""
+"Number of times services should attempt to reconnect in the event of a Data "
+"Provider crash or restart before they give up"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:101 sssd.conf.5.xml:262
+msgid "Default: 3"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:106
+msgid "domains"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:109
+msgid ""
+"A domain is a database containing user information. SSSD can use more "
+"domains at the same time, but at least one must be configured or SSSD won't "
+"start.  This parameter described the list of domains in the order you want "
+"them to be queried."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:119
+msgid "re_expression (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:122
+msgid ""
+"Regular expression that describes how to parse the string containing user "
+"name and domain into these components."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:126
+msgid ""
+"Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
+"which translates to \"the name is everything up to the <quote>@</quote> "
+"sign, the domain everything after that\""
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:131
+msgid ""
+"PLEASE NOTE: the support for non-unique named subpatterns is not available "
+"on all platforms (e.g. RHEL5 and SLES10). Only platforms with libpcre "
+"version 7 or higher can support non-unique named subpatterns."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:138
+msgid ""
+"PLEASE NOTE ALSO: older version of libpcre only support the Python syntax (?"
+"P&lt;name&gt;) to label subpatterns."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:145
+msgid "full_name_format (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:148
+msgid ""
+"A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
+"manvolnum> </citerefentry>-compatible format that describes how to translate "
+"a (name, domain) tuple into a fully qualified name."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:156
+msgid "Default: <quote>%1$s@%2$s</quote>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:161
+msgid "try_inotify (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:164
+msgid ""
+"SSSD monitors the state of resolv.conf to identify when it needs to update "
+"its internal DNS resolver. By default, we will attempt to use inotify for "
+"this, and will fall back to polling resolv.conf every five seconds if "
+"inotify cannot be used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:172
+msgid ""
+"There are some limited situations where it is preferred that we should skip "
+"even trying to use inotify. In these rare cases, this option should be set "
+"to 'false'"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:178
+msgid ""
+"Default: true on platforms where inotify is supported. False on other "
+"platforms."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:182
+msgid ""
+"Note: this option will have no effect on platforms where inotify is "
+"unavailable. On these platforms, polling will always be used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:189
+msgid "krb5_rcache_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:192
+msgid ""
+"Directory on the filesystem where SSSD should store Kerberos replay cache "
+"files."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:196
+msgid ""
+"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
+"SSSD to let libkrb5 decide the appropriate location for the replay cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:202
+msgid ""
+"Default: Distribution-specific and specified at build-time. "
+"(__LIBKRB5_DEFAULTS__ if not configured)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sssd.conf.5.xml:63
+msgid ""
+"Individual pieces of SSSD functionality are provided by special SSSD "
+"services that are started and stopped together with SSSD.  The services are "
+"managed by a special service frequently called <quote>monitor</quote>. The "
+"<quote>[sssd]</quote> section is used to configure the monitor as well as "
+"some other important options like the identity domains.  <placeholder type="
+"\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd.conf.5.xml:215
+msgid "SERVICES SECTIONS"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:217
+msgid ""
+"Settings that can be used to configure different services are described in "
+"this section. They should reside in the [<replaceable>$NAME</replaceable>] "
+"section, for example, for NSS service, the section would be <quote>[nss]</"
+"quote>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><title>
+#: sssd.conf.5.xml:224
+msgid "General service configuration options"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sssd.conf.5.xml:226
+msgid "These options can be used to configure any service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:230
+msgid "debug_level (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:233
+msgid ""
+"Sets the debug level for the service. The value can be in range from 0 (only "
+"critical messages) to 10 (very verbose)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:238 sssd.conf.5.xml:332
+msgid "Default: 0"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:243 sssd.8.xml:58
+msgid "debug_timestamps (bool)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:246 sssd.8.xml:61
+msgid "Add a timestamp to the debug messages"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:249 sssd.conf.5.xml:373 sssd-ldap.5.xml:1058
+#: sssd-ldap.5.xml:1163 sssd-ipa.5.xml:155
+msgid "Default: true"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:267
+msgid "command (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:270
+msgid ""
+"By default, the executable representing this service is called <command>sssd_"
+"${service_name}</command>.  This directive allows to change the executable "
+"name for the service. In the vast majority of configurations, the default "
+"values should suffice."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:278
+msgid "Default: <command>sssd_${service_name}</command>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><title>
+#: sssd.conf.5.xml:286
+msgid "NSS configuration options"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sssd.conf.5.xml:288
+msgid ""
+"These options can be used to configure the Name Service Switch (NSS) service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:293
+msgid "enum_cache_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:296
+msgid ""
+"How many seconds should nss_sss cache enumerations (requests for info about "
+"all users)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:300
+msgid "Default: 120"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:305
+msgid "entry_cache_nowait_percentage (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:308
+msgid ""
+"The entry cache can be set to automatically update entries in the background "
+"if they are requested beyond a percentage of the entry_cache_timeout value "
+"for the domain."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:314
+msgid ""
+"For example, if the domain's entry_cache_timeout is set to 30s and "
+"entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
+"after 15 seconds past the last cache update will be returned immediately, "
+"but the SSSD will go and update the cache on its own, so that future "
+"requests will not need to block waiting for a cache update."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:324
+msgid ""
+"Valid values for this option are 0-99 and represent a percentage of the "
+"entry_cache_timeout for each domain. For performance reasons, this "
+"percentage will never reduce the nowait timeout to less than 10 seconds.  (0 "
+"disables this feature)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:337
+msgid "entry_negative_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:340
+msgid ""
+"Specifies for how many seconds nss_sss should cache negative cache hits "
+"(that is, queries for invalid database entries, like nonexistent ones)  "
+"before asking the back end again."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:346 sssd-krb5.5.xml:223
+msgid "Default: 15"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:351
+msgid "filter_users, filter_groups (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:354
+msgid ""
+"Exclude certain users from being fetched from the sss NSS database. This is "
+"particularly useful for system accounts. This option can also be set per-"
+"domain or include fully-qualified names to filter only users from the "
+"particular domain."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:361
+msgid "Default: root"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:366
+msgid "filter_users_in_groups (bool)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:369
+msgid ""
+"If you want filtered user still be group members set this option to false."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:378
+msgid "override_homedir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:387 sssd-krb5.5.xml:166
+msgid "%u"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:388 sssd-krb5.5.xml:167
+msgid "login name"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:391 sssd-krb5.5.xml:170
+msgid "%U"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:392
+msgid "UID number"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:395 sssd-krb5.5.xml:188
+msgid "%d"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:396
+msgid "domain name"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:399
+msgid "%f"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:400
+msgid "fully qualified user name (user@domain)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:403 sssd-krb5.5.xml:200
+msgid "%%"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:404 sssd-krb5.5.xml:201
+msgid "a literal '%'"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:381
+msgid ""
+"Override the user's home directory. You can either provide an absolute value "
+"or a template. In the template, the following sequences are substituted: "
+"<placeholder type=\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:410
+msgid "This option can also be set per-domain."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:415
+msgid "allowed_shells (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:418
+msgid ""
+"Restrict user shell to one of the listed values. The order of evaluation is:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:421
+msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:425
+msgid ""
+"2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
+"quote>, use the value of the shell_fallback parameter."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:430
+msgid ""
+"3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
+"shells</quote>, a nologin shell is used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:435
+msgid "An empty string for shell is passed as-is to libc."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:438
+msgid ""
+"The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
+"that a restart of the SSSD is required in case a new shell is installed."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:442
+msgid "Default: Not set. The user shell is automatically used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:447
+msgid "vetoed_shells (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:450
+msgid "Replace any instance of these shells with the shell_fallback"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:455
+msgid "shell_fallback (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:458
+msgid ""
+"The default shell to use if an allowed shell is not installed on the machine."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:462
+msgid "Default: /bin/sh"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><title>
+#: sssd.conf.5.xml:469
+msgid "PAM configuration options"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sssd.conf.5.xml:471
+msgid ""
+"These options can be used to configure the Pluggable Authentication Module "
+"(PAM) service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:476
+msgid "offline_credentials_expiration (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:479
+msgid ""
+"If the authentication provider is offline, how long should we allow cached "
+"logins (in days since the last successful online login)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:484 sssd.conf.5.xml:497
+msgid "Default: 0 (No limit)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:490
+msgid "offline_failed_login_attempts (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:493
+msgid ""
+"If the authentication provider is offline, how many failed login attempts "
+"are allowed."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:503
+msgid "offline_failed_login_delay (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:506
+msgid ""
+"The time in minutes which has to pass after offline_failed_login_attempts "
+"has been reached before a new login attempt is possible."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:511
+msgid ""
+"If set to 0 the user cannot authenticate offline if "
+"offline_failed_login_attempts has been reached. Only a successful online "
+"authentication can enable enable offline authentication again."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:517 sssd.conf.5.xml:570 sssd.conf.5.xml:906
+msgid "Default: 5"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:523
+msgid "pam_verbosity (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:526
+msgid ""
+"Controls what kind of messages are shown to the user during authentication. "
+"The higher the number to more messages are displayed."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:531
+msgid "Currently sssd supports the following values:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:534
+msgid "<emphasis>0</emphasis>: do not show any message"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:537
+msgid "<emphasis>1</emphasis>: show only important messages"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:541
+msgid "<emphasis>2</emphasis>: show informational messages"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:544
+msgid "<emphasis>3</emphasis>: show all messages and debug information"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:548
+msgid "Default: 1"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:553
+msgid "pam_id_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:556
+msgid ""
+"For any PAM request while SSSD is online, the SSSD will attempt to "
+"immediately update the cached identity information for the user in order to "
+"ensure that authentication takes place with the latest information."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:562
+msgid ""
+"A complete PAM conversation may perform multiple PAM requests, such as "
+"account management and session opening. This option controls (on a per-"
+"client-application basis) how long (in seconds) we can cache the identity "
+"information to avoid excessive round-trips to the identity provider."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:576
+msgid "pam_pwd_expiration_warning (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:579
+msgid "Display a warning N days before the password expires."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:582
+msgid ""
+"Please note that the backend server has to provide information about the "
+"expiration time of the password.  If this information is missing, sssd "
+"cannot display a warning."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:588
+msgid "Default: 7"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd.conf.5.xml:597
+msgid "DOMAIN SECTIONS"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:604
+msgid "min_id,max_id (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:607
+msgid ""
+"UID and GID limits for the domain. If a domain contains an entry that is "
+"outside these limits, it is ignored."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:612
+msgid ""
+"For users, this affects the primary GID limit. The user will not be returned "
+"to NSS if either the UID or the primary GID is outside the range. For non-"
+"primary group memberships, those that are in range will be reported as "
+"expected."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:619
+msgid "Default: 1 for min_id, 0 (no limit) for max_id"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:625
+msgid "timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:628
+msgid ""
+"Timeout in seconds between heartbeats for this domain.  This is used to "
+"ensure that the backend process is alive and capable of answering requests."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:633
+msgid "Default: 10"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:639
+msgid "enumerate (bool)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:642
+msgid ""
+"Determines if a domain can be enumerated. This parameter can have one of the "
+"following values:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:646
+msgid "TRUE = Users and groups are enumerated"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:649
+msgid "FALSE = No enumerations for this domain"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:652 sssd.conf.5.xml:704 sssd.conf.5.xml:758
+msgid "Default: FALSE"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:655
+msgid ""
+"Note: Enabling enumeration has a moderate performance impact on SSSD while "
+"enumeration is running. It may take up to several minutes after SSSD startup "
+"to fully complete enumerations.  During this time, individual requests for "
+"information will go directly to LDAP, though it may be slow, due to the "
+"heavy enumeration processing."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:665
+msgid ""
+"While the first enumeration is running, requests for the complete user or "
+"group lists may return no results until it completes."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:670
+msgid ""
+"Further, enabling enumeration may increase the time necessary to detect "
+"network disconnection, as longer timeouts are required to ensure that "
+"enumeration lookups are completed successfully.  For more information, refer "
+"to the man pages for the specific id_provider in use."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:681
+msgid "entry_cache_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:684
+msgid ""
+"How many seconds should nss_sss consider entries valid before asking the "
+"backend again"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:688
+msgid "Default: 5400"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:693
+msgid "cache_credentials (bool)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:696
+msgid "Determines if user credentials are also cached in the local LDB cache"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:700
+msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:709
+msgid "account_cache_expiration (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:712
+msgid ""
+"Number of days entries are left in cache after last successful login before "
+"being removed during a cleanup of the cache. 0 means keep forever.  The "
+"value of this parameter must be greater than or equal to "
+"offline_credentials_expiration."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:719
+msgid "Default: 0 (unlimited)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:725
+msgid "id_provider (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:728
+msgid "The Data Provider identity backend to use for this domain."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:732
+msgid "Supported backends:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:735
+msgid "proxy: Support a legacy NSS provider"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:738
+msgid "local: SSSD internal local provider"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:741
+msgid "ldap: LDAP provider"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:747
+msgid "use_fully_qualified_names (bool)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:750
+msgid ""
+"If set to TRUE, all requests to this domain must use fully qualified names. "
+"For example, if used in LOCAL domain that contains a \"test\" user, "
+"<command>getent passwd test</command> wouldn't find the user while "
+"<command>getent passwd test@LOCAL</command> would."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:763
+msgid "auth_provider (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:766
+msgid ""
+"The authentication provider used for the domain.  Supported auth providers "
+"are:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:770
+msgid ""
+"<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
+"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+"citerefentry> for more information on configuring LDAP."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:777
+msgid ""
+"<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
+"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
+"citerefentry> for more information on configuring Kerberos."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:784
+msgid ""
+"<quote>proxy</quote> for relaying authentication to some other PAM target."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:787
+msgid "<quote>none</quote> disables authentication explicitly."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:790
+msgid ""
+"Default: <quote>id_provider</quote> is used if it is set and can handle "
+"authentication requests."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:796
+msgid "access_provider (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:799
+msgid ""
+"The access control provider used for the domain.  There are two built-in "
+"access providers (in addition to any included in installed backends)  "
+"Internal special providers are:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:805
+msgid "<quote>permit</quote> always allow access."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:808
+msgid "<quote>deny</quote> always deny access."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:811
+msgid ""
+"<quote>simple</quote> access control based on access or deny lists. See "
+"<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
+"manvolnum></citerefentry> for more information on configuring the simple "
+"access module."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:818
+msgid "Default: <quote>permit</quote>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:823
+msgid "chpass_provider (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:826
+msgid ""
+"The provider which should handle change password operations for the domain.  "
+"Supported change password providers are:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:831
+msgid ""
+"<quote>ipa</quote> to change a password stored in an IPA server.  See "
+"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> for more information on configuring IPA."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:839
+msgid ""
+"<quote>ldap</quote> to change a password stored in a LDAP server.  See "
+"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> for more information on configuring LDAP."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:847
+msgid ""
+"<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
+"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
+"citerefentry> for more information on configuring Kerberos."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:855
+msgid ""
+"<quote>proxy</quote> for relaying password changes to some other PAM target."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:859
+msgid "<quote>none</quote> disallows password changes explicitly."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:862
+msgid ""
+"Default: <quote>auth_provider</quote> is used if it is set and can handle "
+"change password requests."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:869
+msgid "lookup_family_order (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:872
+msgid ""
+"Provides the ability to select preferred address family to use when "
+"performing DNS lookups."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:876
+msgid "Supported values:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:879
+msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:882
+msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:885
+msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:888
+msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:891
+msgid "Default: ipv4_first"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:897
+msgid "dns_resolver_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:900
+msgid ""
+"Defines the amount of time (in seconds) to wait for a reply from the DNS "
+"resolver before assuming that it is unreachable. If this timeout is reached, "
+"the domain will continue to operate in offline mode."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:912
+msgid "dns_discovery_domain (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:915
+msgid ""
+"If service discovery is used in the back end, specifies the domain part of "
+"the service discovery DNS query."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:919
+msgid "Default: Use the domain part of machine's hostname"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:925
+msgid "override_gid (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:928
+msgid "Override the primary GID value with the one specified."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:599
+msgid ""
+"These configuration options can be present in a domain configuration "
+"section, that is, in a section called <quote>[domain/<replaceable>NAME</"
+"replaceable>]</quote> <placeholder type=\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:940
+msgid "proxy_pam_target (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:943
+msgid "The proxy target PAM proxies to."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:946
+msgid ""
+"Default: not set by default, you have to take an existing pam configuration "
+"or create a new one and add the service name here."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:954
+msgid "proxy_lib_name (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:957
+msgid ""
+"The name of the NSS library to use in proxy domains. The NSS functions "
+"searched for in the library are in the form of _nss_$(libName)_$(function), "
+"for example _nss_files_getpwent."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:936
+msgid ""
+"Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
+"\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><title>
+#: sssd.conf.5.xml:969
+msgid "The local domain section"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sssd.conf.5.xml:971
+msgid ""
+"This section contains settings for domain that stores users and groups in "
+"SSSD native database, that is, a domain that uses "
+"<replaceable>id_provider=local</replaceable>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:978
+msgid "default_shell (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:981
+msgid "The default shell for users created with SSSD userspace tools."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:985
+msgid "Default: <filename>/bin/bash</filename>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:990
+msgid "base_directory (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:993
+msgid ""
+"The tools append the login name to <replaceable>base_directory</replaceable> "
+"and use that as the home directory."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:998
+msgid "Default: <filename>/home</filename>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1003
+msgid "create_homedir (bool)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1006
+msgid ""
+"Indicate if a home directory should be created by default for new users.  "
+"Can be overridden on command line."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1010 sssd.conf.5.xml:1022
+msgid "Default: TRUE"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1015
+msgid "remove_homedir (bool)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1018
+msgid ""
+"Indicate if a home directory should be removed by default for deleted "
+"users.  Can be overridden on command line."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1027
+msgid "homedir_umask (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1030
+msgid ""
+"Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
+"<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
+"on a newly created home directory."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1038
+msgid "Default: 077"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1043
+msgid "skel_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1046
+msgid ""
+"The skeleton directory, which contains files and directories to be copied in "
+"the user's home directory, when the home directory is created by "
+"<citerefentry> <refentrytitle>sss_useradd</refentrytitle> <manvolnum>8</"
+"manvolnum> </citerefentry>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1056
+msgid "Default: <filename>/etc/skel</filename>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1061
+msgid "mail_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1064
+msgid ""
+"The mail spool directory. This is needed to manipulate the mailbox when its "
+"corresponding user account is modified or deleted.  If not specified, a "
+"default value is used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1071
+msgid "Default: <filename>/var/mail</filename>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1076
+msgid "userdel_cmd (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1079
+msgid ""
+"The command that is run after a user is removed.  The command us passed the "
+"username of the user being removed as the first and only parameter. The "
+"return code of the command is not taken into account."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1085
+msgid "Default: None, no command is run"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd.conf.5.xml:1095 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
+#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:408
+msgid "EXAMPLE"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd.conf.5.xml:1101
+#, no-wrap
+msgid ""
+"[sssd]\n"
+"domains = LDAP\n"
+"services = nss, pam\n"
+"config_file_version = 2\n"
+"\n"
+"[nss]\n"
+"filter_groups = root\n"
+"filter_users = root\n"
+"\n"
+"[pam]\n"
+"\n"
+"[domain/LDAP]\n"
+"id_provider = ldap\n"
+"ldap_uri = ldap://ldap.example.com\n"
+"ldap_search_base = dc=example,dc=com\n"
+"\n"
+"auth_provider = krb5\n"
+"krb5_server = kerberos.example.com\n"
+"krb5_realm = EXAMPLE.COM\n"
+"cache_credentials = true\n"
+"\n"
+"min_id = 10000\n"
+"max_id = 20000\n"
+"enumerate = False\n"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:1097
+msgid ""
+"The following example shows a typical SSSD config. It does not describe "
+"configuration of the domains themselves - refer to documentation on "
+"configuring domains for more details.  <placeholder type=\"programlisting\" "
+"id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:1132
+msgid ""
+"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
+"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_groupdel</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_groupmod</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_useradd</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_usermod</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>pam_sss</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd-ldap.5.xml:10 sssd-ldap.5.xml:16
+msgid "sssd-ldap"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ldap.5.xml:23
+msgid ""
+"This manual page describes the configuration of LDAP domains for "
+"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
+"</citerefentry>.  Refer to the <quote>FILE FORMAT</quote> section of the "
+"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> manual page for detailed syntax information."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ldap.5.xml:35
+msgid "You can configure SSSD to use more than one LDAP domain."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ldap.5.xml:38
+msgid ""
+"LDAP back end supports id, auth, access and chpass providers. If you want to "
+"authenticate against an LDAP server either TLS/SSL or LDAPS is required. "
+"<command>sssd</command> <emphasis>does not</emphasis> support authentication "
+"over an unencrypted channel.  If the LDAP server is used only as an identity "
+"provider, an encrypted channel is not needed. Please refer to "
+"<quote>ldap_access_filter</quote> config option for more information about "
+"using LDAP as an access provider."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:61
+#: sssd-krb5.5.xml:63
+msgid "CONFIGURATION OPTIONS"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:60
+msgid "ldap_uri (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:63
+msgid ""
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference. Refer to the <quote>FAILOVER</"
+"quote> section for more information on failover and server redundancy.  If "
+"not specified, service discovery is enabled. For more information, refer to "
+"the <quote>SERVICE DISCOVERY</quote> section."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:70
+msgid "The format of the URI must match the format defined in RFC 2732:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:73
+msgid "ldap[s]://&lt;host&gt;[:port]"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:76
+msgid ""
+"For explicit IPv6 addresses, &lt;host&gt; must be enclosed in brackets []"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:79
+msgid "example: ldap://[fc00::126:25]:389"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:85
+msgid "ldap_chpass_uri (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:88
+msgid ""
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference to change the password of a user. "
+"Refer to the <quote>FAILOVER</quote> section for more information on "
+"failover and server redundancy."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:95
+msgid "To enable service discovery ldap_chpass_dns_service_name must be set."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:99
+msgid "Default: empty, i.e. ldap_uri is used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:105
+msgid "ldap_search_base (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:108
+msgid "The default base DN to use for performing LDAP user operations."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:112
+msgid ""
+"Default: If not set the value of the defaultNamingContext or namingContexts "
+"attribute from the RootDSE of the LDAP server is used. If "
+"defaultNamingContext does not exists or has an empty value namingContexts is "
+"used.  The namingContexts attribute must have a single value with the DN of "
+"the search base of the LDAP server to make this work. Multiple values are "
+"are not supported."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:126
+msgid "ldap_schema (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:129
+msgid ""
+"Specifies the Schema Type in use on the target LDAP server.  Depending on "
+"the selected schema, the default attribute names retrieved from the servers "
+"may vary.  The way that some attributes are handled may also differ.  Three "
+"schema types are currently supported: rfc2307 rfc2307bis IPA The main "
+"difference between these schema types is how group memberships are recorded "
+"in the server.  With rfc2307, group members are listed by name in the "
+"<emphasis>memberUid</emphasis> attribute.  With rfc2307bis and IPA, group "
+"members are listed by DN and stored in the <emphasis>member</emphasis> "
+"attribute."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:148
+msgid "Default: rfc2307"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:154
+msgid "ldap_default_bind_dn (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:157
+msgid "The default bind DN to use for performing LDAP operations."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:164
+msgid "ldap_default_authtok_type (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:167
+msgid "The type of the authentication token of the default bind DN."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:171
+msgid "The two mechanisms currently supported are:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:174
+msgid "password"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:177
+msgid "obfuscated_password"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:180
+msgid "Default: password"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:186
+msgid "ldap_default_authtok (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:189
+msgid ""
+"The authentication token of the default bind DN.  Only clear text passwords "
+"are currently supported."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:196
+msgid "ldap_user_object_class (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:199
+msgid "The object class of a user entry in LDAP."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:202
+msgid "Default: posixAccount"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:208
+msgid "ldap_user_name (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:211
+msgid "The LDAP attribute that corresponds to the user's login name."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:215
+msgid "Default: uid"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:221
+msgid "ldap_user_uid_number (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:224
+msgid "The LDAP attribute that corresponds to the user's id."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:228
+msgid "Default: uidNumber"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:234
+msgid "ldap_user_gid_number (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:237
+msgid "The LDAP attribute that corresponds to the user's primary group id."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:241 sssd-ldap.5.xml:637
+msgid "Default: gidNumber"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:247
+msgid "ldap_user_gecos (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:250
+msgid "The LDAP attribute that corresponds to the user's gecos field."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:254
+msgid "Default: gecos"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:260
+msgid "ldap_user_home_directory (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:263
+msgid "The LDAP attribute that contains the name of the user's home directory."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:267
+msgid "Default: homeDirectory"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:273
+msgid "ldap_user_shell (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:276
+msgid "The LDAP attribute that contains the path to the user's default shell."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:280
+msgid "Default: loginShell"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:286
+msgid "ldap_user_uuid (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:289
+msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:293 sssd-ldap.5.xml:663 sssd-ldap.5.xml:756
+msgid "Default: nsUniqueId"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:299
+msgid "ldap_user_modify_timestamp (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:302 sssd-ldap.5.xml:672 sssd-ldap.5.xml:765
+msgid ""
+"The LDAP attribute that contains timestamp of the last modification of the "
+"parent object."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:306 sssd-ldap.5.xml:676 sssd-ldap.5.xml:769
+msgid "Default: modifyTimestamp"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:312
+msgid "ldap_user_shadow_last_change (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:315
+msgid ""
+"When using ldap_pwd_policy=shadow, this parameter contains the name of an "
+"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of "
+"the last password change)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:325
+msgid "Default: shadowLastChange"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:331
+msgid "ldap_user_shadow_min (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:334
+msgid ""
+"When using ldap_pwd_policy=shadow, this parameter contains the name of an "
+"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum "
+"password age)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:343
+msgid "Default: shadowMin"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:349
+msgid "ldap_user_shadow_max (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:352
+msgid ""
+"When using ldap_pwd_policy=shadow, this parameter contains the name of an "
+"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum "
+"password age)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:361
+msgid "Default: shadowMax"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:367
+msgid "ldap_user_shadow_warning (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:370
+msgid ""
+"When using ldap_pwd_policy=shadow, this parameter contains the name of an "
+"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart "
+"(password warning period)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:380
+msgid "Default: shadowWarning"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:386
+msgid "ldap_user_shadow_inactive (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:389
+msgid ""
+"When using ldap_pwd_policy=shadow, this parameter contains the name of an "
+"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart "
+"(password inactivity period)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:399
+msgid "Default: shadowInactive"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:405
+msgid "ldap_user_shadow_expire (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:408
+msgid ""
+"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this "
+"parameter contains the name of an LDAP attribute corresponding to its "
+"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> counterpart (account expiration date)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:418
+msgid "Default: shadowExpire"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:424
+msgid "ldap_user_krb_last_pwd_change (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:427
+msgid ""
+"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of "
+"an LDAP attribute storing the date and time of last password change in "
+"kerberos."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:433
+msgid "Default: krbLastPwdChange"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:439
+msgid "ldap_user_krb_password_expiration (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:442
+msgid ""
+"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of "
+"an LDAP attribute storing the date and time when current password expires."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:448
+msgid "Default: krbPasswordExpiration"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:454
+msgid "ldap_user_ad_account_expires (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:457
+msgid ""
+"When using ldap_account_expire_policy=ad, this parameter contains the name "
+"of an LDAP attribute storing the expiration time of the account."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:462
+msgid "Default: accountExpires"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:468
+msgid "ldap_user_ad_user_account_control (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:471
+msgid ""
+"When using ldap_account_expire_policy=ad, this parameter contains the name "
+"of an LDAP attribute storing the user account control bit field."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:476
+msgid "Default: userAccountControl"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:482
+msgid "ldap_ns_account_lock (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:485
+msgid ""
+"When using ldap_account_expire_policy=rhds or equivalent, this parameter "
+"determines if access is allowed or not."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:490
+msgid "Default: nsAccountLock"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:496
+msgid "ldap_user_principal (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:499
+msgid ""
+"The LDAP attribute that contains the user's Kerberos User Principal Name "
+"(UPN)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:503
+msgid "Default: krbPrincipalName"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:509
+msgid "ldap_force_upper_case_realm (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:512
+msgid ""
+"Some directory servers, for example Active Directory, might deliver the "
+"realm part of the UPN in lower case, which might cause the authentication to "
+"fail. Set this option to a non-zero value if you want to use an upper-case "
+"realm."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:519 sssd-ldap.5.xml:990 sssd-ipa.5.xml:115 sssd.8.xml:64
+#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:269
+msgid "Default: false"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:525
+msgid "ldap_enumeration_refresh_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:528
+msgid ""
+"The LDAP attribute that contains how many seconds SSSD has to wait before "
+"refreshing its cache of enumerated records."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:533
+msgid "Default: 300"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:539
+msgid "ldap_purge_cache_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:542
+msgid ""
+"Determine how often to check the cache for inactive entries (such as groups "
+"with no members and users who have never logged in) and remove them to save "
+"space."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:548
+msgid "Setting this option to zero will disable the cache cleanup operation."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:552
+msgid "Default: 10800 (12 hours)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:558
+msgid "ldap_user_fullname (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:561
+msgid "The LDAP attribute that corresponds to the user's full name."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:565 sssd-ldap.5.xml:624 sssd-ldap.5.xml:717
+msgid "Default: cn"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:571
+msgid "ldap_user_member_of (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:574
+msgid "The LDAP attribute that lists the user's group memberships."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:578
+msgid "Default: memberOf"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:584
+msgid "ldap_user_authorized_service (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:587
+msgid ""
+"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will "
+"use the presence of the authorizedService attribute in the user's LDAP entry "
+"to determine access privilege."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:594
+msgid ""
+"An explicit deny (!svc) is resolved first. Second, SSSD searches for "
+"explicit allow (svc) and finally for allow_all (*)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:599
+msgid "Default: authorizedService"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:605
+msgid "ldap_group_object_class (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:608
+msgid "The object class of a group entry in LDAP."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:611
+msgid "Default: posixGroup"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:617
+msgid "ldap_group_name (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:620
+msgid "The LDAP attribute that corresponds to the group name."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:630
+msgid "ldap_group_gid_number (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:633
+msgid "The LDAP attribute that corresponds to the group's id."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:643
+msgid "ldap_group_member (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:646
+msgid "The LDAP attribute that contains the names of the group's members."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:650
+msgid "Default: memberuid (rfc2307) / member (rfc2307bis)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:656
+msgid "ldap_group_uuid (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:659
+msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:669
+msgid "ldap_group_modify_timestamp (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:682
+msgid "ldap_group_nesting_level (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:685
+msgid ""
+"If ldap_schema is set to a schema format that supports nested groups (e.g. "
+"RFC2307bis), then this option controls how many levels of nesting SSSD will "
+"follow. This option has no effect on the RFC2307 schema."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:692
+msgid "Default: 2"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:698
+msgid "ldap_netgroup_object_class (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:701
+msgid "The object class of a netgroup entry in LDAP."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:704
+msgid "Default: nisNetgroup"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:710
+msgid "ldap_netgroup_name (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:713
+msgid "The LDAP attribute that corresponds to the netgroup name."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:723
+msgid "ldap_netgroup_member (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:726
+msgid "The LDAP attribute that contains the names of the netgroup's members."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:730
+msgid "Default: memberNisNetgroup"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:736
+msgid "ldap_netgroup_triple (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:739
+msgid ""
+"The LDAP attribute that contains the (host, user, domain) netgroup triples."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:743
+msgid "Default: nisNetgroupTriple"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:749
+msgid "ldap_netgroup_uuid (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:752
+msgid ""
+"The LDAP attribute that contains the UUID/GUID of an LDAP netgroup object."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:762
+msgid "ldap_netgroup_modify_timestamp (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:775
+msgid "ldap_search_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:778
+msgid ""
+"Specifies the timeout (in seconds) that ldap searches are allowed to run "
+"before they are cancelled and cached results are returned (and offline mode "
+"is entered)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:784
+msgid ""
+"Note: this option is subject to change in future versions of the SSSD. It "
+"will likely be replaced at some point by a series of timeouts for specific "
+"lookup types."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:790 sssd-ldap.5.xml:832 sssd-ldap.5.xml:847
+msgid "Default: 6"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:796
+msgid "ldap_enumeration_search_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:799
+msgid ""
+"Specifies the timeout (in seconds) that ldap searches for user and group "
+"enumerations are allowed to run before they are cancelled and cached results "
+"are returned (and offline mode is entered)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:806
+msgid "Default: 60"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:812
+msgid "ldap_network_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:815
+msgid ""
+"Specifies the timeout (in seconds) after which the <citerefentry> "
+"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/"
+"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</"
+"manvolnum> </citerefentry> following a <citerefentry> "
+"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </"
+"citerefentry> returns in case of no activity."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:838
+msgid "ldap_opt_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:841
+msgid ""
+"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs "
+"will abort if no response is received. Also controls the timeout when "
+"communicating with the KDC in case of SASL bind."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:853
+msgid "ldap_page_size (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:856
+msgid ""
+"Specify the number of records to retrieve from LDAP in a single request. "
+"Some LDAP servers enforce a maximum limit per-request."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:861
+msgid "Default: 1000"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:867
+msgid "ldap_tls_reqcert (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:870
+msgid ""
+"Specifies what checks to perform on server certificates in a TLS session, if "
+"any. It can be specified as one of the following values:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:876
+msgid ""
+"<emphasis>never</emphasis> = The client will not request or check any server "
+"certificate."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:880
+msgid ""
+"<emphasis>allow</emphasis> = The server certificate is requested. If no "
+"certificate is provided, the session proceeds normally. If a bad certificate "
+"is provided, it will be ignored and the session proceeds normally."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:887
+msgid ""
+"<emphasis>try</emphasis> = The server certificate is requested. If no "
+"certificate is provided, the session proceeds normally. If a bad certificate "
+"is provided, the session is immediately terminated."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:893
+msgid ""
+"<emphasis>demand</emphasis> = The server certificate is requested. If no "
+"certificate is provided, or a bad certificate is provided, the session is "
+"immediately terminated."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:899
+msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:903
+msgid "Default: hard"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:909
+msgid "ldap_tls_cacert (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:912
+msgid ""
+"Specifies the file that contains certificates for all of the Certificate "
+"Authorities that <command>sssd</command> will recognize."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:917 sssd-ldap.5.xml:935 sssd-ldap.5.xml:976
+msgid ""
+"Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap."
+"conf</filename>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:924
+msgid "ldap_tls_cacertdir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:927
+msgid ""
+"Specifies the path of a directory that contains Certificate Authority "
+"certificates in separate individual files. Typically the file names need to "
+"be the hash of the certificate followed by '.0'.  If available, "
+"<command>cacertdir_rehash</command> can be used to create the correct names."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:942
+msgid "ldap_tls_cert (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:945
+msgid "Specifies the file that contains the certificate for the client's key."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:359
+msgid "Default: not set"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:955
+msgid "ldap_tls_key (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:958
+msgid "Specifies the file that contains the client's key."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:967
+msgid "ldap_tls_cipher_suite (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:970
+msgid ""
+"Specifies acceptable cipher suites.  Typically this is a colon sperated "
+"list.  See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
+"<manvolnum>5</manvolnum></citerefentry> for format."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:983
+msgid "ldap_id_use_start_tls (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:986
+msgid ""
+"Specifies that the id_provider connection must also use <systemitem class="
+"\"protocol\">tls</systemitem> to protect the channel."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:996
+msgid "ldap_sasl_mech (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:999
+msgid ""
+"Specify the SASL mechanism to use.  Currently only GSSAPI is tested and "
+"supported."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1003 sssd-ldap.5.xml:1145
+msgid "Default: none"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1009
+msgid "ldap_sasl_authid (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1012
+msgid ""
+"Specify the SASL authorization id to use.  When GSSAPI is used, this "
+"represents the Kerberos principal used for authentication to the directory."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1017
+msgid "Default: host/machine.fqdn@REALM"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1023
+msgid "ldap_sasl_canonicalize (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1026
+msgid ""
+"If set to true, the LDAP library would perform a reverse lookup to "
+"canonicalize the host name during a SASL bind."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1031
+msgid "Default: false;"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1037
+msgid "ldap_krb5_keytab (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1040
+msgid "Specify the keytab to use when using SASL/GSSAPI."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1043
+msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1049
+msgid "ldap_krb5_init_creds (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1052
+msgid ""
+"Specifies that the id_provider should init Kerberos credentials (TGT).  This "
+"action is performed only if SASL is used and the mechanism selected is "
+"GSSAPI."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1064
+msgid "ldap_krb5_ticket_lifetime (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1067
+msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1071
+msgid "Default: 86400 (24 hours)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1077 sssd-krb5.5.xml:74
+msgid "krb5_server (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1080 sssd-krb5.5.xml:77
+msgid ""
+"Specifies the comma-separated list of IP addresses or hostnames of the "
+"Kerberos servers to which SSSD should connect in the order of preference. "
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
+"colon) may be appended to the addresses or hostnames.  If empty, service "
+"discovery is enabled - for more information, refer to the <quote>SERVICE "
+"DISCOVERY</quote> section."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1092 sssd-krb5.5.xml:89
+msgid ""
+"When using service discovery for KDC or kpasswd servers, SSSD first searches "
+"for DNS entries that specify _udp as the protocol and falls back to _tcp if "
+"none are found."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1097 sssd-krb5.5.xml:94
+msgid ""
+"This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. "
+"While the legacy name is recognized for the time being, users are advised to "
+"migrate their config files to use <quote>krb5_server</quote> instead."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1106 sssd-ipa.5.xml:165 sssd-krb5.5.xml:103
+msgid "krb5_realm (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1109
+msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1112
+msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1118
+msgid "ldap_pwd_policy (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1121
+msgid ""
+"Select the policy to evaluate the password expiration on the client side. "
+"The following values are allowed:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1126
+msgid ""
+"<emphasis>none</emphasis> - No evaluation on the client side. This option "
+"cannot disable server-side password policies."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1131
+msgid ""
+"<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</"
+"refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to "
+"evaluate if the password has expired.  Note that the current version of sssd "
+"cannot update this attribute during a password change."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1139
+msgid ""
+"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
+"to determine if the password has expired. Use chpass_provider=krb5 to update "
+"these attributes when the password is changed."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1151
+msgid "ldap_referrals (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1154
+msgid "Specifies whether automatic referral chasing should be enabled."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1158
+msgid ""
+"Please note that sssd only supports referral chasing when it is compiled "
+"with OpenLDAP version 2.4.13 or higher."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1169
+msgid "ldap_dns_service_name (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1172
+msgid "Specifies the service name to use when service discovery is enabled."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1176
+msgid "Default: ldap"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1182
+msgid "ldap_chpass_dns_service_name (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1185
+msgid ""
+"Specifies the service name to use to find an LDAP server which allows "
+"password changes when service discovery is enabled."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1190
+msgid "Default: not set, i.e. service discovery is disabled"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1196
+msgid "ldap_access_filter (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1199
+msgid ""
+"If using access_provider = ldap, this option is mandatory. It specifies an "
+"LDAP search filter criteria that must be met for the user to be granted "
+"access on this host. If access_provider = ldap and this option is not set, "
+"it will result in all users being denied access. Use access_provider = allow "
+"to change this default behavior."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1209
+msgid "Example:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
+#: sssd-ldap.5.xml:1212
+#, no-wrap
+msgid ""
+"access_provider = ldap\n"
+"ldap_access_filter = memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1216
+msgid ""
+"This example means that access to this host is restricted to members of the "
+"\"allowedusers\" group in ldap."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1221
+msgid ""
+"Offline caching for this feature is limited to determining whether the "
+"user's last online login was granted access permission. If they were granted "
+"access during their last login, they will continue to be granted access "
+"while offline and vice-versa."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1229 sssd-ldap.5.xml:1270
+msgid "Default: Empty"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1235
+msgid "ldap_account_expire_policy (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1238
+msgid ""
+"With this option a client side evaluation of access control attributes can "
+"be enabled."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1242
+msgid ""
+"Please note that it is always recommended to use server side access control, "
+"i.e. the LDAP server should deny the bind request with a suitable error code "
+"even if the password is correct."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1249
+msgid "The following values are allowed:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1252
+msgid ""
+"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
+"determine if the account is expired."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1257
+msgid ""
+"<emphasis>ad</emphasis>: use the value of the 32bit field "
+"ldap_user_ad_user_account_control and allow access if the second bit is not "
+"set. If the attribute is missing access is granted. Also the expiration time "
+"of the account is checked."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1264
+msgid ""
+"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</"
+"emphasis>: use the value of ldap_ns_account_lock to check if access is "
+"allowed or not."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1276
+msgid "ldap_access_order (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1279
+msgid "Comma separated list of access control options.  Allowed values are:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1283
+msgid "<emphasis>filter</emphasis>: use ldap_access_filter"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1286
+msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1290
+msgid ""
+"<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
+"to determine access"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1295
+msgid "Default: filter"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1298
+msgid ""
+"Please note that it is a configuration error if a value is used more than "
+"once."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1305
+msgid "ldap_deref (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1308
+msgid ""
+"Specifies how alias dereferencing is done when performing a search. The "
+"following options are allowed:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1313
+msgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1317
+msgid ""
+"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
+"the base object, but not in locating the base object of the search."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1322
+msgid ""
+"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
+"the base object of the search."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1327
+msgid ""
+"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
+"in locating the base object of the search."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1332
+msgid ""
+"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
+"client libraries)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ldap.5.xml:51
+msgid ""
+"All of the common configuration options that apply to SSSD domains also "
+"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section "
+"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> manual page for full details.  <placeholder type="
+"\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-ldap.5.xml:1344
+msgid "ADVANCED OPTIONS"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1351
+msgid "ldap_netgroup_search_base (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1354
+msgid ""
+"An optional base DN to restrict netgroup searches to a specific subtree."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1358 sssd-ldap.5.xml:1372 sssd-ldap.5.xml:1386
+msgid "Default: the value of <emphasis>ldap_search_base</emphasis>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1365
+msgid "ldap_user_search_base (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1368
+msgid "An optional base DN to restrict user searches to a specific subtree."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1379
+msgid "ldap_group_search_base (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1382
+msgid "An optional base DN to restrict group searches to a specific subtree."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ldap.5.xml:1346
+msgid ""
+"These options are supported by LDAP domains, but they should be used with "
+"caution. Please include them in your configuration only if you know what you "
+"are doing.  <placeholder type=\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ldap.5.xml:1402
+msgid ""
+"The following example assumes that SSSD is correctly configured and LDAP is "
+"set to one of the domains in the <replaceable>[domains]</replaceable> "
+"section."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-ldap.5.xml:1408
+#, no-wrap
+msgid ""
+"    [domain/LDAP]\n"
+"    id_provider = ldap\n"
+"    auth_provider = ldap\n"
+"    ldap_uri = ldap://ldap.mydomain.org\n"
+"    ldap_search_base = dc=mydomain,dc=org\n"
+"    ldap_tls_reqcert = demand\n"
+"    cache_credentials = true\n"
+"    enumerate = true\n"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ldap.5.xml:1407 sssd-simple.5.xml:134 sssd-ipa.5.xml:238
+#: sssd-krb5.5.xml:417
+msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-ldap.5.xml:1421 sssd_krb5_locator_plugin.8.xml:61
+msgid "NOTES"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ldap.5.xml:1423
+msgid ""
+"The descriptions of some of the configuration options in this manual page "
+"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 "
+"distribution."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ldap.5.xml:1434
+msgid ""
+"<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
+"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </citerefentry>"
+msgstr ""
+
+#. type: Content of: <refentryinfo>
+#: pam_sss.8.xml:8 include/upstream.xml:2
+msgid ""
+"<productname>SSSD</productname> <orgname>The SSSD upstream - http://"
+"fedorahosted.org/sssd</orgname>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: pam_sss.8.xml:13 pam_sss.8.xml:18
+msgid "pam_sss"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: pam_sss.8.xml:19
+msgid "PAM module for SSSD"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: pam_sss.8.xml:24
+msgid ""
+"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
+"arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: pam_sss.8.xml:45
+msgid ""
+"<command>pam_sss.so</command> is the PAM interface to the System Security "
+"Services daemon (SSSD). Errors and results are logged through <command>syslog"
+"(3)</command> with the LOG_AUTHPRIV facility."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:55
+msgid "<option>quiet</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:58
+msgid "Suppress log messages for unknown users."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:63
+msgid "<option>forward_pass</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:66
+msgid ""
+"If <option>forward_pass</option> is set the entered password is put on the "
+"stack for other PAM modules to use."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:73
+msgid "<option>use_first_pass</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:76
+msgid ""
+"The argument use_first_pass forces the module to use a previous stacked "
+"modules password and will never prompt the user - if no password is "
+"available or the password is not appropriate, the user will be denied access."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:84
+msgid "<option>use_authtok</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:87
+msgid ""
+"When password changing enforce the module to set the new password to the one "
+"provided by a previously stacked password module."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:94
+msgid "<option>retry=N</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:97
+msgid ""
+"If specified the user is asked another N times for a password if "
+"authentication fails. Default is 0."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:99
+msgid ""
+"Please note that this option might not work as expected if the application "
+"calling PAM handles the user dialog on its own. A typical example is "
+"<command>sshd</command> with <option>PasswordAuthentication</option>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: pam_sss.8.xml:110
+msgid "MODULE TYPES PROVIDED"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: pam_sss.8.xml:111
+msgid ""
+"All module types (<option>account</option>, <option>auth</option>, "
+"<option>password</option> and <option>session</option>) are provided."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: pam_sss.8.xml:117
+msgid "FILES"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: pam_sss.8.xml:118
+msgid ""
+"If a password reset by root fails, because the corresponding SSSD provider "
+"does not support password resets, an individual message can be displayed. "
+"This message can e.g. contain instructions about how to reset a password."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: pam_sss.8.xml:123
+msgid ""
+"The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
+"filename> where LOC stands for a locale string returned by <citerefentry> "
+"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </"
+"citerefentry>. If there is no matching file the content of "
+"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be "
+"the owner of the files and only root may have read and write permissions "
+"while all other users must have only read permisssions."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: pam_sss.8.xml:133
+msgid ""
+"These files are searched in the directory <filename>/etc/sssd/customize/"
+"DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
+"displayed."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: pam_sss.8.xml:141
+msgid ""
+"<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>8</"
+"manvolnum> </citerefentry>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15
+msgid "sssd_krb5_locator_plugin"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd_krb5_locator_plugin.8.xml:22
+msgid ""
+"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is "
+"used by the Kerberos provider of <citerefentry> <refentrytitle>sssd</"
+"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> to tell the Kerberos "
+"libraries what Realm and which KDC to use.  Typically this is done in "
+"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> which is always read by the Kerberos libraries. "
+"To simplyfy the configuration the Realm and the KDC can be defined in "
+"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> as described in <citerefentry> "
+"<refentrytitle>sssd-krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </"
+"citerefentry>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd_krb5_locator_plugin.8.xml:48
+msgid ""
+"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
+"</citerefentry> puts the Realm and the name or IP address of the KDC into "
+"the environment variables SSSD_KRB5_REALM and SSSD_KRB5_KDC respectively.  "
+"When <command>sssd_krb5_locator_plugin</command> is called by the kerberos "
+"libraries it reads and evaluates these variable and returns them to the "
+"libraries."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd_krb5_locator_plugin.8.xml:63
+msgid ""
+"Not all Kerberos implementations support the use of plugins. If "
+"<command>sssd_krb5_locator_plugin</command> is not available on your system "
+"you have to edit /etc/krb5.conf to reflect your Kerberos setup."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd_krb5_locator_plugin.8.xml:69
+msgid ""
+"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value "
+"debug messages will be sent to stderr."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd_krb5_locator_plugin.8.xml:77
+msgid ""
+"<citerefentry> <refentrytitle>sssd-krb5</refentrytitle><manvolnum>5</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd.conf</"
+"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </citerefentry>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd-simple.5.xml:10 sssd-simple.5.xml:16
+msgid "sssd-simple"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sssd-simple.5.xml:17
+msgid "the configuration file for SSSD's 'simple' access-control provider"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-simple.5.xml:24
+msgid ""
+"This manual page describes the configuration of the simple access-control "
+"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> "
+"<manvolnum>8</manvolnum> </citerefentry>.  For a detailed syntax reference, "
+"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> "
+"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
+"citerefentry> manual page."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-simple.5.xml:38
+msgid ""
+"The simple access provider grants or denies access based on an access or "
+"deny list of user or group names. The following rules apply:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
+#: sssd-simple.5.xml:43
+msgid "If all lists are empty, access is granted"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
+#: sssd-simple.5.xml:47
+msgid ""
+"If any list is provided, the order of evaluation is allow,deny. This means "
+"that any matching deny rule will supersede any matched allow rule."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
+#: sssd-simple.5.xml:54
+msgid ""
+"If either or both \"allow\" lists are provided, all users are denied unless "
+"they appear in the list."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
+#: sssd-simple.5.xml:60
+msgid ""
+"If only \"deny\" lists are provided, all users are granted access unless "
+"they appear in the list."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-simple.5.xml:78
+msgid "simple_allow_users (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-simple.5.xml:81
+msgid "Comma separated list of users who are allowed to log in."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-simple.5.xml:88
+msgid "simple_deny_users (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-simple.5.xml:91
+msgid "Comma separated list of users who are explicitly denied access."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-simple.5.xml:97
+msgid "simple_allow_groups (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-simple.5.xml:100
+msgid ""
+"Comma separated list of groups that are allowed to log in. This applies only "
+"to groups within this SSSD domain. Local groups are not evaluated."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-simple.5.xml:108
+msgid "simple_deny_groups (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-simple.5.xml:111
+msgid ""
+"Comma separated list of groups that are explicitly denied access. This "
+"applies only to groups within this SSSD domain. Local groups are not "
+"evaluated."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-simple.5.xml:70 sssd-ipa.5.xml:62
+msgid ""
+"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> "
+"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
+"citerefentry> manual page for details on the configuration of an SSSD "
+"domain.  <placeholder type=\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-simple.5.xml:120
+msgid ""
+"Please note that it is an configuration error if both, simple_allow_users "
+"and simple_deny_users, are defined."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-simple.5.xml:128
+msgid ""
+"The following example assumes that SSSD is correctly configured and example."
+"com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
+"This examples shows only the simple access provider-specific options."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-simple.5.xml:135
+#, no-wrap
+msgid ""
+"    [domain/example.com]\n"
+"    access_provider = simple\n"
+"    simple_allow_users = user1, user2\n"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-simple.5.xml:145
+msgid ""
+"<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16
+msgid "sssd-ipa"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ipa.5.xml:23
+msgid ""
+"This manual page describes the configuration of the IPA provider for "
+"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
+"</citerefentry>.  For a detailed syntax reference, refer to the <quote>FILE "
+"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ipa.5.xml:36
+msgid ""
+"The IPA provider is a back end used to connect to an IPA server.  (Refer to "
+"the freeipa.org web site for information about IPA servers.)  This provider "
+"requires that the machine be joined to the IPA domain; configuration is "
+"almost entirely self-discovered and obtained directly from the server."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ipa.5.xml:43
+msgid ""
+"The IPA provider accepts the same options used by the <citerefentry> "
+"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+"citerefentry> identity provider and the <citerefentry> <refentrytitle>sssd-"
+"krb5</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> authentication "
+"provider.  However, it is neither necessary nor recommended to set these "
+"options.  IPA provider can also be used as an access and chpass provider. As "
+"an access provider it uses HBAC (host-based access control) rules. Please "
+"refer to freeipa.org for more information about HBAC. No configuration of "
+"access provider is required on the client side."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:69
+msgid "ipa_domain (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:72
+msgid ""
+"Specifies the name of the IPA domain.  This is optional. If not provided, "
+"the configuration domain name is used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:80
+msgid "ipa_server (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:83
+msgid ""
+"The comma-separated list of IP addresses or hostnames of the IPA servers to "
+"which SSSD should connect in the order of preference. For more information "
+"on failover and server redundancy, see the <quote>FAILOVER</quote> section.  "
+"This is optional if autodiscovery is enabled.  For more information on "
+"service discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:96
+msgid "ipa_hostname (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:99
+msgid ""
+"Optional. May be set on machines where the hostname(5) does not reflect the "
+"fully qualified name used in the IPA domain to identify this host."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:107
+msgid "ipa_dyndns_update (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:110
+msgid ""
+"Optional. This option tells SSSD to automatically update the DNS server "
+"built into FreeIPA v2 with the IP address of this client."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:121
+msgid "ipa_dyndns_iface (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:124
+msgid ""
+"Optional. Applicable only when ipa_dyndns_update is true. Choose the "
+"interface whose IP address should be used for dynamic DNS updates."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:129
+msgid "Default: Use the IP address of the IPA LDAP connection"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:135
+msgid "ipa_hbac_search_base (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:138
+msgid "Optional. Use the given string as search base for HBAC related objects."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:142
+msgid "Default: Use base DN"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:148 sssd-krb5.5.xml:229
+msgid "krb5_validate (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:151 sssd-krb5.5.xml:232
+msgid ""
+"Verify with the help of krb5_keytab that the TGT obtained has not been "
+"spoofed."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:158
+msgid ""
+"Note that this default differs from the traditional Kerberos provider back "
+"end."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:168
+msgid ""
+"The name of the Kerberos realm. This is optional and defaults to the value "
+"of <quote>ipa_domain</quote>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:172
+msgid ""
+"The name of the Kerberos realm has a special meaning in IPA - it is "
+"converted into the base DN to use for performing LDAP operations."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:179
+msgid "ipa_hbac_refresh (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:182
+msgid ""
+"The amount of time between lookups of the HBAC rules against the IPA server. "
+"This will reduce the latency and load on the IPA server if there are many "
+"access-control requests made in a short period."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:189
+msgid "Default: 5 (seconds)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:194
+msgid "ipa_hbac_treat_deny_as (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:197
+msgid ""
+"This option specifies how to treat the deprecated DENY-type HBAC rules. As "
+"of FreeIPA v2.1, DENY rules are no longer supported on the server. All users "
+"of FreeIPA will need to migrate their rules to use only the ALLOW rules. The "
+"client will support two modes of operation during this transition period:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:206
+msgid ""
+"<emphasis>DENY_ALL</emphasis>: If any HBAC DENY rules are detected, all "
+"users will be denied access."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:211
+msgid ""
+"<emphasis>IGNORE</emphasis>: SSSD will ignore any DENY rules. Be very "
+"careful with this option, as it may result in opening unintended access."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:216
+msgid "Default: DENY_ALL"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ipa.5.xml:232
+msgid ""
+"The following example assumes that SSSD is correctly configured and example."
+"com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
+"This examples shows only the ipa provider-specific options."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-ipa.5.xml:239
+#, no-wrap
+msgid ""
+"    [domain/example.com]\n"
+"    id_provider = ipa\n"
+"    ipa_server = ipaserver.example.com\n"
+"    ipa_hostname = myhost.example.com\n"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ipa.5.xml:250
+msgid ""
+"<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
+"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sssd-krb5</refentrytitle><manvolnum>5</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sssd</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd.8.xml:10 sssd.8.xml:15
+msgid "sssd"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sssd.8.xml:16
+msgid "System Security Services Daemon"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: sssd.8.xml:21
+msgid ""
+"<command>sssd</command> <arg choice='opt'> <replaceable>options</"
+"replaceable> </arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.8.xml:31
+msgid ""
+"<command>SSSD</command> provides a set of daemons to manage access to remote "
+"directories and authentication mechanisms. It provides an NSS and PAM "
+"interface toward the system and a pluggable backend system to connect to "
+"multiple different account sources as well as D-Bus interface. It is also "
+"the basis to provide client auditing and policy services for projects like "
+"FreeIPA. It provides a more robust database to store local users as well as "
+"extended user data."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:46
+msgid ""
+"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</"
+"replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:51
+msgid ""
+"Debug level to run the daemon with. 0 is the default as well as the lowest "
+"allowed value, 10 is the most verbose mode. This setting overrides the "
+"settings from config file. This parameter implies <option>-i</option>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:70
+msgid "<option>-f</option>,<option>--debug-to-files</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:74
+msgid ""
+"Send the debug output to files instead of stderr. By default, the log files "
+"are stored in <filename>/var/log/sssd</filename> and there are separate log "
+"files for every SSSD service and domain."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:82
+msgid "<option>-D</option>,<option>--daemon</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:86
+msgid "Become a daemon after starting up."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:92
+msgid "<option>-i</option>,<option>--interactive</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:96
+msgid "Run in the foreground, don't become a daemon."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:102
+msgid "<option>-c</option>,<option>--config</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:106
+msgid ""
+"Specify a non-default config file. The default is <filename>/etc/sssd/sssd."
+"conf</filename>. For reference on the config file syntax and options, "
+"consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> manual page."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd.8.xml:122
+msgid "Signals"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:125
+msgid "SIGTERM/SIGINT"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:128
+msgid ""
+"Informs the SSSD to gracefully terminate all of its child processes and then "
+"shut down the monitor."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:134
+msgid "SIGHUP"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:137
+msgid ""
+"Tells the SSSD to stop writing to its current debug file descriptors and to "
+"close and reopen them. This is meant to facilitate log rolling with programs "
+"like logrotate."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:145
+msgid "SIGUSR1"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:148
+msgid ""
+"Tells the SSSD to simulate offline operation for one minute. This is mostly "
+"useful for testing purposes."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:154
+msgid "SIGUSR2"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:157
+msgid ""
+"Tells the SSSD to go online immediately. This is mostly useful for testing "
+"purposes."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.8.xml:168
+msgid ""
+"<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupadd</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_groupdel</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_groupmod</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_userdel</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15
+msgid "sss_obfuscate"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sss_obfuscate.8.xml:16
+msgid "obfuscate a clear text password"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: sss_obfuscate.8.xml:21
+msgid ""
+"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</"
+"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</"
+"replaceable></arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_obfuscate.8.xml:32
+msgid ""
+"<command>sss_obfuscate</command> converts a given password into human-"
+"unreadable format and places it into appropriate domain section of the SSSD "
+"config file."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_obfuscate.8.xml:37
+msgid ""
+"The cleartext password is read from standard input or entered "
+"interactively.  The obfuscated password is put into "
+"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the "
+"<quote>ldap_default_authtok_type</quote> parameter is set to "
+"<quote>obfuscated_password</quote>. Refer to <citerefentry> "
+"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+"citerefentry> for more details on these parameters."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_obfuscate.8.xml:49
+msgid ""
+"Please note that obfuscating the password provides <emphasis>no real "
+"security benefit</emphasis> as it is still possible for an attacker to "
+"reverse-engineer the password back. Using better authentication mechanisms "
+"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> "
+"advised."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_obfuscate.8.xml:63
+msgid "<option>-s</option>,<option>--stdin</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_obfuscate.8.xml:67
+msgid "The password to obfuscate will be read from standard input."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_obfuscate.8.xml:74
+msgid ""
+"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</"
+"replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_obfuscate.8.xml:79
+msgid ""
+"The SSSD domain to use the password in. The default name is <quote>default</"
+"quote>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_obfuscate.8.xml:86
+msgid ""
+"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_obfuscate.8.xml:91
+msgid "Read the config file specified by the positional parameter."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_obfuscate.8.xml:95
+msgid "Default: <filename>/etc/sssd/sssd.conf</filename>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_obfuscate.8.xml:105
+msgid ""
+"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sss_useradd.8.xml:10 sss_useradd.8.xml:15
+msgid "sss_useradd"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sss_useradd.8.xml:16
+msgid "create a new user"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: sss_useradd.8.xml:21
+msgid ""
+"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</"
+"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></"
+"arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_useradd.8.xml:32
+msgid ""
+"<command>sss_useradd</command> creates a new user account using the values "
+"specified on the command line plus the default values from the system."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_useradd.8.xml:43
+msgid ""
+"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_useradd.8.xml:48
+msgid ""
+"Set the UID of the user to the value of <replaceable>UID</replaceable>.  If "
+"not given, it is chosen automatically."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_useradd.8.xml:55 sss_usermod.8.xml:43
+msgid ""
+"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</"
+"replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_useradd.8.xml:60 sss_usermod.8.xml:48
+msgid ""
+"Any text string describing the user. Often used as the field for the user's "
+"full name."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_useradd.8.xml:67 sss_usermod.8.xml:55
+msgid ""
+"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</"
+"replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_useradd.8.xml:72
+msgid ""
+"The home directory of the user account.  The default is to append the "
+"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use "
+"that as the home directory.  The base that is prepended before "
+"<replaceable>LOGIN</replaceable> is tunable with <quote>user_defaults/"
+"baseDirectory</quote> setting in sssd.conf."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_useradd.8.xml:82 sss_usermod.8.xml:66
+msgid ""
+"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_useradd.8.xml:87
+msgid ""
+"The user's login shell. The default is currently <filename>/bin/bash</"
+"filename>.  The default can be changed with <quote>user_defaults/"
+"defaultShell</quote> setting in sssd.conf."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_useradd.8.xml:96
+msgid ""
+"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</"
+"replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_useradd.8.xml:101
+msgid "A list of existing groups this user is also a member of."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_useradd.8.xml:107
+msgid "<option>-m</option>,<option>--create-home</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_useradd.8.xml:111
+msgid ""
+"Create the user's home directory if it does not exist. The files and "
+"directories contained in the skeleton directory (which can be defined with "
+"the -k option or in the config file) will be copied to the home directory."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_useradd.8.xml:121
+msgid "<option>-M</option>,<option>--no-create-home</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_useradd.8.xml:125
+msgid ""
+"Do not create the user's home directory. Overrides configuration settings."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_useradd.8.xml:132
+msgid ""
+"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</"
+"replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_useradd.8.xml:137
+msgid ""
+"The skeleton directory, which contains files and directories to be copied in "
+"the user's home directory, when the home directory is created by "
+"<command>sss_useradd</command>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_useradd.8.xml:143
+msgid ""
+"This option is only valid if the <option>-m</option> (or <option>--create-"
+"home</option>) option is specified, or creation of home directories is set "
+"to TRUE in the configuration."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_useradd.8.xml:152 sss_usermod.8.xml:124
+msgid ""
+"<option>-Z</option>,<option>--selinux-user</option> "
+"<replaceable>SELINUX_USER</replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_useradd.8.xml:157
+msgid ""
+"The SELinux user for the user's login. If not specified, the system default "
+"will be used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_useradd.8.xml:169
+msgid ""
+"<citerefentry> <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupdel</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_groupmod</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_usermod</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16
+msgid "sssd-krb5"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-krb5.5.xml:23
+msgid ""
+"This manual page describes the configuration of the Kerberos 5 "
+"authentication backend for <citerefentry> <refentrytitle>sssd</"
+"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>.  For a detailed "
+"syntax reference, please refer to the <quote>FILE FORMAT</quote> section of "
+"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> manual page"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-krb5.5.xml:36
+msgid ""
+"The Kerberos 5 authentication backend contains auth and chpass providers. It "
+"must be paired with identity provider in order to function properly (for "
+"example, id_provider = ldap). Some information required by the Kerberos 5 "
+"authentication backend must be provided by the identity provider, such as "
+"the user's Kerberos Principal Name (UPN). The configuration of the identity "
+"provider should have an entry to specify the UPN. Please refer to the man "
+"page for the applicable identity provider for details on how to configure "
+"this."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-krb5.5.xml:47
+msgid ""
+"This backend also provides access control based on the .k5login file in the "
+"home directory of the user. See <citerefentry> <refentrytitle>.k5login</"
+"refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. "
+"Please note that an empty .k5login file will deny all access to this user. "
+"To activate this feature use 'access_provider = krb5' in your sssd "
+"configuration."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-krb5.5.xml:55
+msgid ""
+"In the case where the UPN is not available in the identity backend "
+"<command>sssd</command> will construct a UPN using the format "
+"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:106
+msgid ""
+"The name of the Kerberos realm. This option is required and must be "
+"specified."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:113
+msgid "krb5_kpasswd (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:116
+msgid ""
+"If the change password service is not running on the KDC alternative servers "
+"can be defined here. An optional port number (preceded by a colon) may be "
+"appended to the addresses or hostnames."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:122
+msgid ""
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section.  Please note that even if there are no more "
+"kpasswd servers to try the back end is not switch to offline if "
+"authentication against the KDC is still possible."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:129
+msgid "Default: Use the KDC"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:135
+msgid "krb5_ccachedir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:138
+msgid ""
+"Directory to store credential caches. All the substitution sequences of "
+"krb5_ccname_template can be used here, too, except %d and %P. If the "
+"directory does not exist it will be created. If %u, %U, %p or %h are used a "
+"private directory belonging to the user is created. Otherwise a public "
+"directory with restricted deletion flag (aka sticky bit, see <citerefentry> "
+"<refentrytitle>chmod</refentrytitle> <manvolnum>1</manvolnum> </"
+"citerefentry> for details) is created."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:151
+msgid "Default: /tmp"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:157
+msgid "krb5_ccname_template (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:171
+msgid "login UID"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:174
+msgid "%p"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:175
+msgid "principal name"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:179
+msgid "%r"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:180
+msgid "realm name"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:183
+msgid "%h"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:184
+msgid "home directory"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:189
+msgid "value of krb5ccache_dir"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:194
+msgid "%P"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:195
+msgid "the process ID of the sssd client"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:160
+msgid ""
+"Location of the user's credential cache. Currently only file based "
+"credential caches are supported. In the template the following sequences are "
+"substituted: <placeholder type=\"variablelist\" id=\"0\"/> If the template "
+"ends with 'XXXXXX' mkstemp(3) is used to create a unique filename in a safe "
+"way."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:209
+msgid "Default: FILE:%d/krb5cc_%U_XXXXXX"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:215
+msgid "krb5_auth_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:218
+msgid ""
+"Timeout in seconds after an online authentication or change password request "
+"is aborted. If possible the authentication request is continued offline."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:241
+msgid "krb5_keytab (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:244
+msgid ""
+"The location of the keytab to use when validating credentials obtained from "
+"KDCs."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:248
+msgid "Default: /etc/krb5.keytab"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:254
+msgid "krb5_store_password_if_offline (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:257
+msgid ""
+"Store the password of the user if the provider is offline and use it to "
+"request a TGT when the provider gets online again."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:262
+msgid ""
+"Please note that this feature currently only available on a Linux platform. "
+"Passwords stored in this way are kept in plaintext in the kernel keyring and "
+"are potentially accessible by the root user (with difficulty)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:275
+msgid "krb5_renewable_lifetime (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:278
+msgid ""
+"Request a renewable ticket with a total lifetime given by an integer "
+"immediately followed by one of the following delimiters:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
+msgid "<emphasis>s</emphasis> seconds"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
+msgid "<emphasis>m</emphasis> minutes"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
+msgid "<emphasis>h</emphasis> hours"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
+msgid "<emphasis>d</emphasis> days."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:295 sssd-krb5.5.xml:331
+msgid "If there is no delimiter <emphasis>s</emphasis> is assumed."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:299
+msgid ""
+"Please note that it is not possible to mix units.  If you want to set the "
+"renewable lifetime to one and a half hours please use '90m' instead of "
+"'1h30m'."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:305
+msgid "Default: not set, i.e. the TGT is not renewable"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:311
+msgid "krb5_lifetime (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:314
+msgid ""
+"Request ticket with a with a lifetime given by an integer immediately "
+"followed by one of the following delimiters:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:335
+msgid ""
+"Please note that it is not possible to mix units.  If you want to set the "
+"lifetime to one and a half hours please use '90m' instead of '1h30m'."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:340
+msgid ""
+"Default: not set, i.e. the default ticket lifetime configured on the KDC."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:347
+msgid "krb5_renew_interval (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:350
+msgid ""
+"The time in seconds between two checks if the TGT should be renewed. TGTs "
+"are renewed if about half of their lifetime is exceeded."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:355
+msgid "If this option is not set or 0 the automatic renewal is disabled."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:365
+msgid "krb5_use_fast (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:368
+msgid ""
+"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
+"authentication. The following options are supported:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:373
+msgid ""
+"<emphasis>never</emphasis> use FAST, this is equivalent to not set this "
+"option at all."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:377
+msgid ""
+"<emphasis>try</emphasis> to use FAST, if the server does not support fast "
+"continue without."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:381
+msgid ""
+"<emphasis>demand</emphasis> to use FAST, fail if the server does not require "
+"fast."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:385
+msgid "Default: not set, i.e. FAST is not used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:388
+msgid "Please note that a keytab is required to use fast."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:391
+msgid ""
+"Please note also that sssd supports fast only with MIT Kerberos version 1.8 "
+"and above. If sssd used used with an older version using this option is a "
+"configuration error."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-krb5.5.xml:65
+msgid ""
+"If the auth-module krb5 is used in a SSSD domain, the following options must "
+"be used. See the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> manual page, section <quote>DOMAIN "
+"SECTIONS</quote> for details on the configuration of a SSSD domain.  "
+"<placeholder type=\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-krb5.5.xml:410
+msgid ""
+"The following example assumes that SSSD is correctly configured and FOO is "
+"one of the domains in the <replaceable>[sssd]</replaceable> section. This "
+"example shows only configuration of Kerberos authentication, it does not "
+"include any identity provider."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-krb5.5.xml:418
+#, no-wrap
+msgid ""
+"    [domain/FOO]\n"
+"    auth_provider = krb5\n"
+"    krb5_server = 192.168.1.1\n"
+"    krb5_realm = EXAMPLE.COM\n"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-krb5.5.xml:429
+msgid ""
+"<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
+"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </citerefentry>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15
+msgid "sss_groupadd"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sss_groupadd.8.xml:16
+msgid "create a new group"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: sss_groupadd.8.xml:21
+msgid ""
+"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</"
+"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></"
+"arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_groupadd.8.xml:32
+msgid ""
+"<command>sss_groupadd</command> creates a new group. These groups are "
+"compatible with POSIX groups, with the additional feature that they can "
+"contain other groups as members."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_groupadd.8.xml:43
+msgid ""
+"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_groupadd.8.xml:48
+msgid ""
+"Set the GID of the group to the value of <replaceable>GID</replaceable>.  If "
+"not given, it is chosen automatically."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_groupadd.8.xml:60
+msgid ""
+"<citerefentry> <refentrytitle>sss_groupdel</refentrytitle><manvolnum>8</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupmod</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_useradd</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_usermod</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sss_userdel.8.xml:10 sss_userdel.8.xml:15
+msgid "sss_userdel"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sss_userdel.8.xml:16
+msgid "delete a user account"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: sss_userdel.8.xml:21
+msgid ""
+"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</"
+"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></"
+"arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_userdel.8.xml:32
+msgid ""
+"<command>sss_userdel</command> deletes a user identified by login name "
+"<replaceable>LOGIN</replaceable> from the system."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_userdel.8.xml:44
+msgid "<option>-r</option>,<option>--remove</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_userdel.8.xml:48
+msgid ""
+"Files in the user's home directory will be removed along with the home "
+"directory itself and the user's mail spool. Overrides the configuration."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_userdel.8.xml:56
+msgid "<option>-R</option>,<option>--no-remove</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_userdel.8.xml:60
+msgid ""
+"Files in the user's home directory will NOT be removed along with the home "
+"directory itself and the user's mail spool. Overrides the configuration."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_userdel.8.xml:68
+msgid "<option>-f</option>,<option>--force</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_userdel.8.xml:72
+msgid ""
+"This option forces <command>sss_userdel</command> to remove the user's home "
+"directory and mail spool, even if they are not owned by the specified user."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_userdel.8.xml:80
+msgid "<option>-k</option>,<option>--kick</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_userdel.8.xml:84
+msgid "Before actually deleting the user, terminate all his processes."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_userdel.8.xml:95
+msgid ""
+"<citerefentry> <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupdel</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_groupmod</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_groupshow</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_usermod</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15
+msgid "sss_groupdel"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sss_groupdel.8.xml:16
+msgid "delete a group"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: sss_groupdel.8.xml:21
+msgid ""
+"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</"
+"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></"
+"arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_groupdel.8.xml:32
+msgid ""
+"<command>sss_groupdel</command> deletes a group identified by its name "
+"<replaceable>GROUP</replaceable> from the system."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_groupdel.8.xml:48
+msgid ""
+"<citerefentry> <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupmod</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_useradd</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_usermod</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15
+msgid "sss_groupshow"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sss_groupshow.8.xml:16
+msgid "print properties of a group"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: sss_groupshow.8.xml:21
+msgid ""
+"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</"
+"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></"
+"arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_groupshow.8.xml:32
+msgid ""
+"<command>sss_groupshow</command> displays information about a group "
+"identified by its name <replaceable>GROUP</replaceable>. The information "
+"includes the group ID number, members of the group and the parent group."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_groupshow.8.xml:43
+msgid "<option>-R</option>,<option>--recursive</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_groupshow.8.xml:47
+msgid ""
+"Also print indirect group members in a tree-like hierarchy.  Note that this "
+"also affects printing parent groups - without <option>R</option>, only the "
+"direct parent will be printed."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_groupshow.8.xml:60
+msgid ""
+"<citerefentry> <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupmod</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_userdel</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sss_usermod.8.xml:10 sss_usermod.8.xml:15
+msgid "sss_usermod"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sss_usermod.8.xml:16
+msgid "modify a user account"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: sss_usermod.8.xml:21
+msgid ""
+"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</"
+"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></"
+"arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_usermod.8.xml:32
+msgid ""
+"<command>sss_usermod</command> modifies the account specified by "
+"<replaceable>LOGIN</replaceable> to reflect the changes that are specified "
+"on the command line."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_usermod.8.xml:60
+msgid "The home directory of the user account."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_usermod.8.xml:71
+msgid "The user's login shell."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_usermod.8.xml:82
+msgid ""
+"Append this user to groups specified by the <replaceable>GROUPS</"
+"replaceable> parameter.  The <replaceable>GROUPS</replaceable> parameter is "
+"a comma separated list of group names."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_usermod.8.xml:96
+msgid ""
+"Remove this user from groups specified by the <replaceable>GROUPS</"
+"replaceable> parameter."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_usermod.8.xml:103
+msgid "<option>-l</option>,<option>--lock</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_usermod.8.xml:107
+msgid "Lock the user account. The user won't be able to log in."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_usermod.8.xml:114
+msgid "<option>-u</option>,<option>--unlock</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_usermod.8.xml:118
+msgid "Unlock the user account."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_usermod.8.xml:129
+msgid "The SELinux user for the user's login."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_usermod.8.xml:140
+msgid ""
+"<citerefentry> <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupdel</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_groupmod</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_groupshow</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_userdel</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>."
+msgstr ""
+
+#. type: Content of: <refsect1><title>
+#: include/service_discovery.xml:2
+msgid "SERVICE DISCOVERY"
+msgstr ""
+
+#. type: Content of: <refsect1><para>
+#: include/service_discovery.xml:4
+msgid ""
+"The service discovery feature allows back ends to automatically find the "
+"appropriate servers to connect to using a special DNS query."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/service_discovery.xml:9
+msgid "Configuration"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/service_discovery.xml:11
+msgid ""
+"If no servers are specified, the back end automatically uses service "
+"discovery to try to find a server. Optionally, the user may choose to use "
+"both fixed server addresses and service discovery by inserting a special "
+"keyword, <quote>_srv_</quote>, in the list of servers. The order of "
+"preference is maintained. This feature is useful if, for example, the user "
+"prefers to use service discovery whenever possible, and fall back to a "
+"specific server when no servers can be discovered using DNS."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/service_discovery.xml:23
+msgid "The domain name"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/service_discovery.xml:25
+msgid ""
+"Please refer to the <quote>dns_discovery_domain</quote> parameter in the "
+"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> manual page for more details."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/service_discovery.xml:35
+msgid "The protocol"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/service_discovery.xml:37
+msgid ""
+"The queries usually specify _tcp as the protocol. Exceptions are documented "
+"in respective option description."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/service_discovery.xml:42
+msgid "See Also"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/service_discovery.xml:44
+msgid ""
+"For more information on the service discovery mechanism, refer to RFC 2782."
+msgstr ""
+
+#. type: Content of: outside any tag (error?)
+#: include/upstream.xml:1
+msgid "<placeholder type=\"refentryinfo\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <refsect1><title>
+#: include/failover.xml:2
+msgid "FAILOVER"
+msgstr ""
+
+#. type: Content of: <refsect1><para>
+#: include/failover.xml:4
+msgid ""
+"The failover feature allows back ends to automatically switch to a different "
+"server if the primary server fails."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/failover.xml:8
+msgid "Failover Syntax"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/failover.xml:10
+msgid ""
+"The list of servers is given as a comma-separated list; any number of spaces "
+"is allowed around the comma. The servers are listed in order of preference. "
+"The list can contain any number of servers."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/failover.xml:17
+msgid "The Failover Mechanism"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/failover.xml:19
+msgid ""
+"The failover mechanism distinguishes between a machine and a service. The "
+"back end first tries to resolve the hostname of a given machine; if this "
+"resolution attempt fails, the machine is considered offline. No further "
+"attempts are made to connect to this machine for any other service. If the "
+"resolution attempt succeeds, the back end tries to connect to a service on "
+"this machine. If the service connection attempt fails, then only this "
+"particular service is considered offline and the back end automatically "
+"switches over to the next service.  The machine is still considered online "
+"and might still be tried for another service."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/failover.xml:32
+msgid ""
+"Further connection attempts are made to machines or services marked as "
+"offline after a specified period of time; this is currently hard coded to 30 "
+"seconds."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/failover.xml:37
+msgid ""
+"If there are no more machines to try, the back end as a whole switches to "
+"offline mode, and then attempts to reconnect every 30 seconds."
+msgstr ""
+
+#. type: Content of: <varlistentry><term>
+#: include/param_help.xml:3
+msgid "<option>-h</option>,<option>--help</option>"
+msgstr ""
+
+#. type: Content of: <varlistentry><listitem><para>
+#: include/param_help.xml:7
+msgid "Display help message and exit."
+msgstr ""
diff --git a/src/man/po/sssd-docs.pot b/src/man/po/sssd-docs.pot
index 2bcfb95d..f00d2246 100644
--- a/src/man/po/sssd-docs.pot
+++ b/src/man/po/sssd-docs.pot
@@ -6,9 +6,9 @@
 #, fuzzy
 msgid ""
 msgstr ""
-"Project-Id-Version: sssd-docs 1.5.13\n"
+"Project-Id-Version: sssd-docs 1.5.14\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2011-08-29 10:42-0300\n"
+"POT-Creation-Date: 2011-10-18 13:34-0300\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -46,7 +46,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:41 sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21 sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_useradd.8.xml:30 sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30 sss_groupdel.8.xml:30 sss_groupshow.8.xml:30 sss_usermod.8.xml:30
+#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:44 sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21 sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_useradd.8.xml:30 sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30 sss_groupdel.8.xml:30 sss_groupshow.8.xml:30 sss_usermod.8.xml:30
 msgid "DESCRIPTION"
 msgstr ""
 
@@ -58,7 +58,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:39 pam_sss.8.xml:48 sssd.8.xml:42 sss_obfuscate.8.xml:58 sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39 sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
+#: sss_groupmod.8.xml:39 pam_sss.8.xml:51 sssd.8.xml:42 sss_obfuscate.8.xml:58 sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39 sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
 msgid "OPTIONS"
 msgstr ""
 
@@ -93,7 +93,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1106 sssd-ldap.5.xml:1432 pam_sss.8.xml:128 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143 sssd-ipa.5.xml:248 sssd.8.xml:166 sss_obfuscate.8.xml:103 sss_useradd.8.xml:167 sssd-krb5.5.xml:424 sss_groupadd.8.xml:58 sss_userdel.8.xml:93 sss_groupdel.8.xml:46 sss_groupshow.8.xml:58 sss_usermod.8.xml:138
+#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1130 sssd-ldap.5.xml:1432 pam_sss.8.xml:139 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143 sssd-ipa.5.xml:248 sssd.8.xml:166 sss_obfuscate.8.xml:103 sss_useradd.8.xml:167 sssd-krb5.5.xml:427 sss_groupadd.8.xml:58 sss_userdel.8.xml:93 sss_groupdel.8.xml:46 sss_groupshow.8.xml:58 sss_usermod.8.xml:138
 msgid "SEE ALSO"
 msgstr ""
 
@@ -200,7 +200,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:70 sssd.conf.5.xml:952
+#: sssd.conf.5.xml:70 sssd.conf.5.xml:976
 msgid "Section parameters"
 msgstr ""
 
@@ -232,19 +232,19 @@ msgid "Supported services: nss, pam"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:93 sssd.conf.5.xml:234
+#: sssd.conf.5.xml:93 sssd.conf.5.xml:254
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:96 sssd.conf.5.xml:237
+#: sssd.conf.5.xml:96 sssd.conf.5.xml:257
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:101 sssd.conf.5.xml:242
+#: sssd.conf.5.xml:101 sssd.conf.5.xml:262
 msgid "Default: 3"
 msgstr ""
 
@@ -351,6 +351,32 @@ msgid ""
 "unavailable. On these platforms, polling will always be used."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:189
+msgid "krb5_rcache_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:192
+msgid ""
+"Directory on the filesystem where SSSD should store Kerberos replay cache "
+"files."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:196
+msgid ""
+"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
+"SSSD to let libkrb5 decide the appropriate location for the replay cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:202
+msgid ""
+"Default: Distribution-specific and specified at "
+"build-time. (__LIBKRB5_DEFAULTS__ if not configured)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:63
 msgid ""
@@ -363,12 +389,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:195
+#: sssd.conf.5.xml:215
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:197
+#: sssd.conf.5.xml:217
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -377,54 +403,54 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:204
+#: sssd.conf.5.xml:224
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:206
+#: sssd.conf.5.xml:226
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:210
+#: sssd.conf.5.xml:230
 msgid "debug_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:213
+#: sssd.conf.5.xml:233
 msgid ""
 "Sets the debug level for the service. The value can be in range from 0 (only "
 "critical messages) to 10 (very verbose)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:218 sssd.conf.5.xml:312
+#: sssd.conf.5.xml:238 sssd.conf.5.xml:332
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:223 sssd.8.xml:58
+#: sssd.conf.5.xml:243 sssd.8.xml:58
 msgid "debug_timestamps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:226 sssd.8.xml:61
+#: sssd.conf.5.xml:246 sssd.8.xml:61
 msgid "Add a timestamp to the debug messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:229 sssd.conf.5.xml:353 sssd-ldap.5.xml:1058 sssd-ldap.5.xml:1163 sssd-ipa.5.xml:155
+#: sssd.conf.5.xml:249 sssd.conf.5.xml:373 sssd-ldap.5.xml:1058 sssd-ldap.5.xml:1163 sssd-ipa.5.xml:155
 msgid "Default: true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:247
+#: sssd.conf.5.xml:267
 msgid "command (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:250
+#: sssd.conf.5.xml:270
 msgid ""
 "By default, the executable representing this service is called "
 "<command>sssd_${service_name}</command>.  This directive allows to change "
@@ -433,46 +459,46 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:258
+#: sssd.conf.5.xml:278
 msgid "Default: <command>sssd_${service_name}</command>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:266
+#: sssd.conf.5.xml:286
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:268
+#: sssd.conf.5.xml:288
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) "
 "service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:273
+#: sssd.conf.5.xml:293
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:276
+#: sssd.conf.5.xml:296
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:280
+#: sssd.conf.5.xml:300
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:285
+#: sssd.conf.5.xml:305
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:288
+#: sssd.conf.5.xml:308
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -480,7 +506,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:294
+#: sssd.conf.5.xml:314
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -490,7 +516,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304
+#: sssd.conf.5.xml:324
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -499,12 +525,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:317
+#: sssd.conf.5.xml:337
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:320
+#: sssd.conf.5.xml:340
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -512,17 +538,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:326 sssd-krb5.5.xml:223
+#: sssd.conf.5.xml:346 sssd-krb5.5.xml:223
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:331
+#: sssd.conf.5.xml:351
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:334
+#: sssd.conf.5.xml:354
 msgid ""
 "Exclude certain users from being fetched from the sss NSS database. This is "
 "particularly useful for system accounts. This option can also be set "
@@ -531,77 +557,77 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:341
+#: sssd.conf.5.xml:361
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:346
+#: sssd.conf.5.xml:366
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:369
 msgid "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:358
+#: sssd.conf.5.xml:378
 msgid "override_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:367 sssd-krb5.5.xml:166
+#: sssd.conf.5.xml:387 sssd-krb5.5.xml:166
 msgid "%u"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:368 sssd-krb5.5.xml:167
+#: sssd.conf.5.xml:388 sssd-krb5.5.xml:167
 msgid "login name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:371 sssd-krb5.5.xml:170
+#: sssd.conf.5.xml:391 sssd-krb5.5.xml:170
 msgid "%U"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:392
 msgid "UID number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:375 sssd-krb5.5.xml:188
+#: sssd.conf.5.xml:395 sssd-krb5.5.xml:188
 msgid "%d"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:376
+#: sssd.conf.5.xml:396
 msgid "domain name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:379
+#: sssd.conf.5.xml:399
 msgid "%f"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:380
+#: sssd.conf.5.xml:400
 msgid "fully qualified user name (user@domain)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:383 sssd-krb5.5.xml:200
+#: sssd.conf.5.xml:403 sssd-krb5.5.xml:200
 msgid "%%"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:384 sssd-krb5.5.xml:201
+#: sssd.conf.5.xml:404 sssd-krb5.5.xml:201
 msgid "a literal '%'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:361
+#: sssd.conf.5.xml:381
 msgid ""
 "Override the user's home directory. You can either provide an absolute value "
 "or a template. In the template, the following sequences are substituted: "
@@ -609,138 +635,138 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:390
+#: sssd.conf.5.xml:410
 msgid "This option can also be set per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:395
+#: sssd.conf.5.xml:415
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:398
+#: sssd.conf.5.xml:418
 msgid "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:401
+#: sssd.conf.5.xml:421
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:405
+#: sssd.conf.5.xml:425
 msgid ""
 "2. If the shell is in the allowed_shells list but not in "
 "<quote>/etc/shells</quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:410
+#: sssd.conf.5.xml:430
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in "
 "<quote>/etc/shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:415
+#: sssd.conf.5.xml:435
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:418
+#: sssd.conf.5.xml:438
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:422
+#: sssd.conf.5.xml:442
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:427
+#: sssd.conf.5.xml:447
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:430
+#: sssd.conf.5.xml:450
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:435
+#: sssd.conf.5.xml:455
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:438
+#: sssd.conf.5.xml:458
 msgid ""
 "The default shell to use if an allowed shell is not installed on the "
 "machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:442
+#: sssd.conf.5.xml:462
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:469
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:451
+#: sssd.conf.5.xml:471
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:456
+#: sssd.conf.5.xml:476
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:459
+#: sssd.conf.5.xml:479
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:464 sssd.conf.5.xml:477
+#: sssd.conf.5.xml:484 sssd.conf.5.xml:497
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:490
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:473
+#: sssd.conf.5.xml:493
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:483
+#: sssd.conf.5.xml:503
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:506
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:491
+#: sssd.conf.5.xml:511
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -748,59 +774,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:497 sssd.conf.5.xml:550 sssd.conf.5.xml:882
+#: sssd.conf.5.xml:517 sssd.conf.5.xml:570 sssd.conf.5.xml:906
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:523
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:506
+#: sssd.conf.5.xml:526
 msgid ""
 "Controls what kind of messages are shown to the user during "
 "authentication. The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:511
+#: sssd.conf.5.xml:531
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:514
+#: sssd.conf.5.xml:534
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:517
+#: sssd.conf.5.xml:537
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:541
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:524
+#: sssd.conf.5.xml:544
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:528
+#: sssd.conf.5.xml:548
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:533
+#: sssd.conf.5.xml:553
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:536
+#: sssd.conf.5.xml:556
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -808,7 +834,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:542
+#: sssd.conf.5.xml:562
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a "
@@ -818,17 +844,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:556
+#: sssd.conf.5.xml:576
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:559
+#: sssd.conf.5.xml:579
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:562
+#: sssd.conf.5.xml:582
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -836,29 +862,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:588
 msgid "Default: 7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:577
+#: sssd.conf.5.xml:597
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:584
+#: sssd.conf.5.xml:604
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:587
+#: sssd.conf.5.xml:607
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:592
+#: sssd.conf.5.xml:612
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For "
@@ -867,56 +893,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:599
+#: sssd.conf.5.xml:619
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:625
 msgid "timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:608
+#: sssd.conf.5.xml:628
 msgid ""
 "Timeout in seconds between heartbeats for this domain.  This is used to "
 "ensure that the backend process is alive and capable of answering requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:633
 msgid "Default: 10"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:639
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:642
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:626
+#: sssd.conf.5.xml:646
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:629
+#: sssd.conf.5.xml:649
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:632 sssd.conf.5.xml:680 sssd.conf.5.xml:734
+#: sssd.conf.5.xml:652 sssd.conf.5.xml:704 sssd.conf.5.xml:758
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:635
+#: sssd.conf.5.xml:655
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -926,14 +952,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:645
+#: sssd.conf.5.xml:665
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:650
+#: sssd.conf.5.xml:670
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -942,39 +968,44 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:661
+#: sssd.conf.5.xml:681
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:664
+#: sssd.conf.5.xml:684
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:688
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:693
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676
+#: sssd.conf.5.xml:696
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:700
+msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:685
+#: sssd.conf.5.xml:709
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:688
+#: sssd.conf.5.xml:712
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -983,47 +1014,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:695
+#: sssd.conf.5.xml:719
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:725
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:728
 msgid "The Data Provider identity backend to use for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:708
+#: sssd.conf.5.xml:732
 msgid "Supported backends:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:711
+#: sssd.conf.5.xml:735
 msgid "proxy: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:714
+#: sssd.conf.5.xml:738
 msgid "local: SSSD internal local provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:717
+#: sssd.conf.5.xml:741
 msgid "ldap: LDAP provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:747
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:750
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified "
 "names. For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -1032,19 +1063,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:739
+#: sssd.conf.5.xml:763
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:766
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:746
+#: sssd.conf.5.xml:770
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> "
@@ -1052,7 +1083,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:777
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> "
@@ -1060,29 +1091,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:784
 msgid "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:787
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:766
+#: sssd.conf.5.xml:790
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:796
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:775
+#: sssd.conf.5.xml:799
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -1090,17 +1121,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:781
+#: sssd.conf.5.xml:805
 msgid "<quote>permit</quote> always allow access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:784
+#: sssd.conf.5.xml:808
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:811
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> "
@@ -1109,24 +1140,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:818
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:823
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:826
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:831
 msgid ""
 "<quote>ipa</quote> to change a password stored in an IPA server.  See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
@@ -1135,7 +1166,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:815
+#: sssd.conf.5.xml:839
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> "
@@ -1144,7 +1175,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:823
+#: sssd.conf.5.xml:847
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> "
@@ -1152,71 +1183,71 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:831
+#: sssd.conf.5.xml:855
 msgid "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:835
+#: sssd.conf.5.xml:859
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838
+#: sssd.conf.5.xml:862
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:845
+#: sssd.conf.5.xml:869
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:848
+#: sssd.conf.5.xml:872
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:876
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:855
+#: sssd.conf.5.xml:879
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:858
+#: sssd.conf.5.xml:882
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:861
+#: sssd.conf.5.xml:885
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:864
+#: sssd.conf.5.xml:888
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:867
+#: sssd.conf.5.xml:891
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:873
+#: sssd.conf.5.xml:897
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:876
+#: sssd.conf.5.xml:900
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -1224,34 +1255,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:912
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:891
+#: sssd.conf.5.xml:915
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:919
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:901
+#: sssd.conf.5.xml:925
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:904
+#: sssd.conf.5.xml:928
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:579
+#: sssd.conf.5.xml:599
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called "
@@ -1260,29 +1291,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:940
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:943
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:922
+#: sssd.conf.5.xml:946
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:954
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:933
+#: sssd.conf.5.xml:957
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -1290,19 +1321,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:912
+#: sssd.conf.5.xml:936
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:945
+#: sssd.conf.5.xml:969
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:971
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -1310,73 +1341,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:954
+#: sssd.conf.5.xml:978
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:981
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:985
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:966
+#: sssd.conf.5.xml:990
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:969
+#: sssd.conf.5.xml:993
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974
+#: sssd.conf.5.xml:998
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1003
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1006
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986 sssd.conf.5.xml:998
+#: sssd.conf.5.xml:1010 sssd.conf.5.xml:1022
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:991
+#: sssd.conf.5.xml:1015
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:994
+#: sssd.conf.5.xml:1018
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1003
+#: sssd.conf.5.xml:1027
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1030
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -1384,17 +1415,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014
+#: sssd.conf.5.xml:1038
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1043
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1022
+#: sssd.conf.5.xml:1046
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -1403,17 +1434,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:1056
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1037
+#: sssd.conf.5.xml:1061
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1040
+#: sssd.conf.5.xml:1064
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -1421,17 +1452,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1047
+#: sssd.conf.5.xml:1071
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1076
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1055
+#: sssd.conf.5.xml:1079
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -1439,17 +1470,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1061
+#: sssd.conf.5.xml:1085
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1071 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126 sssd-ipa.5.xml:230 sssd-krb5.5.xml:405
+#: sssd.conf.5.xml:1095 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126 sssd-ipa.5.xml:230 sssd-krb5.5.xml:408
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:1077
+#: sssd.conf.5.xml:1101
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -1479,7 +1510,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1073
+#: sssd.conf.5.xml:1097
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -1488,7 +1519,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1108
+#: sssd.conf.5.xml:1132
 msgid ""
 "<citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> "
@@ -1592,10 +1623,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:88
 msgid ""
-"Specifies the list of URIs of the LDAP servers to which SSSD should connect "
-"in the order of preference to change the password of a user. Refer to the "
-"<quote>FAILOVER</quote> section for more information on failover and server "
-"redundancy."
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference to change the password of a "
+"user. Refer to the <quote>FAILOVER</quote> section for more information on "
+"failover and server redundancy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -2075,7 +2106,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:519 sssd-ldap.5.xml:990 sssd-ipa.5.xml:115 sssd.8.xml:64 sssd-krb5.5.xml:235 sssd-krb5.5.xml:266
+#: sssd-ldap.5.xml:519 sssd-ldap.5.xml:990 sssd-ipa.5.xml:115 sssd.8.xml:64 sssd-krb5.5.xml:235 sssd-krb5.5.xml:269
 msgid "Default: false"
 msgstr ""
 
@@ -2514,7 +2545,7 @@ msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:356
+#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:359
 msgid "Default: not set"
 msgstr ""
 
@@ -2655,12 +2686,13 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:1080 sssd-krb5.5.xml:77
 msgid ""
-"Specifies the list of IP addresses or hostnames of the Kerberos servers to "
-"which SSSD should connect in the order of preference. For more information "
-"on failover and server redundancy, see the <quote>FAILOVER</quote> "
-"section. An optional port number (preceded by a colon) may be appended to "
-"the addresses or hostnames.  If empty, service discovery is enabled - for "
-"more information, refer to the <quote>SERVICE DISCOVERY</quote> section."
+"Specifies the comma-separated list of IP addresses or hostnames of the "
+"Kerberos servers to which SSSD should connect in the order of "
+"preference. For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
+"colon) may be appended to the addresses or hostnames.  If empty, service "
+"discovery is enabled - for more information, refer to the <quote>SERVICE "
+"DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -3045,7 +3077,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1407 sssd-simple.5.xml:134 sssd-ipa.5.xml:238 sssd-krb5.5.xml:414
+#: sssd-ldap.5.xml:1407 sssd-simple.5.xml:134 sssd-ipa.5.xml:238 sssd-krb5.5.xml:417
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -3095,6 +3127,7 @@ msgstr ""
 #: pam_sss.8.xml:24
 msgid ""
 "<command>pam_sss.so</command> <arg choice='opt'> "
+"<replaceable>quiet</replaceable> </arg> <arg choice='opt'> "
 "<replaceable>forward_pass</replaceable> </arg> <arg choice='opt'> "
 "<replaceable>use_first_pass</replaceable> </arg> <arg choice='opt'> "
 "<replaceable>use_authtok</replaceable> </arg> <arg choice='opt'> "
@@ -3102,7 +3135,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:42
+#: pam_sss.8.xml:45
 msgid ""
 "<command>pam_sss.so</command> is the PAM interface to the System Security "
 "Services daemon (SSSD). Errors and results are logged through "
@@ -3110,24 +3143,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:52
+#: pam_sss.8.xml:55
+msgid "<option>quiet</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:58
+msgid "Suppress log messages for unknown users."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:63
 msgid "<option>forward_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:55
+#: pam_sss.8.xml:66
 msgid ""
 "If <option>forward_pass</option> is set the entered password is put on the "
 "stack for other PAM modules to use."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:62
+#: pam_sss.8.xml:73
 msgid "<option>use_first_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:65
+#: pam_sss.8.xml:76
 msgid ""
 "The argument use_first_pass forces the module to use a previous stacked "
 "modules password and will never prompt the user - if no password is "
@@ -3136,31 +3179,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:73
+#: pam_sss.8.xml:84
 msgid "<option>use_authtok</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:76
+#: pam_sss.8.xml:87
 msgid ""
 "When password changing enforce the module to set the new password to the one "
 "provided by a previously stacked password module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:83
+#: pam_sss.8.xml:94
 msgid "<option>retry=N</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:86
+#: pam_sss.8.xml:97
 msgid ""
 "If specified the user is asked another N times for a password if "
 "authentication fails. Default is 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:88
+#: pam_sss.8.xml:99
 msgid ""
 "Please note that this option might not work as expected if the application "
 "calling PAM handles the user dialog on its own. A typical example is "
@@ -3168,24 +3211,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:99
+#: pam_sss.8.xml:110
 msgid "MODULE TYPES PROVIDED"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:100
+#: pam_sss.8.xml:111
 msgid ""
 "All module types (<option>account</option>, <option>auth</option>, "
 "<option>password</option> and <option>session</option>) are provided."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:106
+#: pam_sss.8.xml:117
 msgid "FILES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:107
+#: pam_sss.8.xml:118
 msgid ""
 "If a password reset by root fails, because the corresponding SSSD provider "
 "does not support password resets, an individual message can be "
@@ -3194,7 +3237,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:112
+#: pam_sss.8.xml:123
 msgid ""
 "The message is read from the file "
 "<filename>pam_sss_pw_reset_message.LOC</filename> where LOC stands for a "
@@ -3207,7 +3250,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:122
+#: pam_sss.8.xml:133
 msgid ""
 "These files are searched in the directory "
 "<filename>/etc/sssd/customize/DOMAIN_NAME/</filename>. If no matching file "
@@ -3215,7 +3258,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:130
+#: pam_sss.8.xml:141
 msgid ""
 "<citerefentry> "
 "<refentrytitle>sssd.conf</refentrytitle><manvolnum>8</manvolnum> "
@@ -3482,11 +3525,12 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ipa.5.xml:83
 msgid ""
-"The list of IP addresses or hostnames of the IPA servers to which SSSD "
-"should connect in the order of preference. For more information on failover "
-"and server redundancy, see the <quote>FAILOVER</quote> section.  This is "
-"optional if autodiscovery is enabled.  For more information on service "
-"discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
+"The comma-separated list of IP addresses or hostnames of the IPA servers to "
+"which SSSD should connect in the order of preference. For more information "
+"on failover and server redundancy, see the <quote>FAILOVER</quote> section.  "
+"This is optional if autodiscovery is enabled.  For more information on "
+"service discovery, refer to the the <quote>SERVICE DISCOVERY</quote> "
+"section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
@@ -4311,48 +4355,51 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:262
-msgid "Please note that this feature currently only available on a Linux platform."
+msgid ""
+"Please note that this feature currently only available on a Linux "
+"platform. Passwords stored in this way are kept in plaintext in the kernel "
+"keyring and are potentially accessible by the root user (with difficulty)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:272
+#: sssd-krb5.5.xml:275
 msgid "krb5_renewable_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:275
+#: sssd-krb5.5.xml:278
 msgid ""
 "Request a renewable ticket with a total lifetime given by an integer "
 "immediately followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:280 sssd-krb5.5.xml:316
+#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
 msgid "<emphasis>s</emphasis> seconds"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
+#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
 msgid "<emphasis>m</emphasis> minutes"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
+#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
 msgid "<emphasis>h</emphasis> hours"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
+#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
 msgid "<emphasis>d</emphasis> days."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
+#: sssd-krb5.5.xml:295 sssd-krb5.5.xml:331
 msgid "If there is no delimiter <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:296
+#: sssd-krb5.5.xml:299
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "renewable lifetime to one and a half hours please use '90m' instead of "
@@ -4360,96 +4407,96 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:302
+#: sssd-krb5.5.xml:305
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:308
+#: sssd-krb5.5.xml:311
 msgid "krb5_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:311
+#: sssd-krb5.5.xml:314
 msgid ""
 "Request ticket with a with a lifetime given by an integer immediately "
 "followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:332
+#: sssd-krb5.5.xml:335
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "lifetime to one and a half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:337
+#: sssd-krb5.5.xml:340
 msgid "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:344
+#: sssd-krb5.5.xml:347
 msgid "krb5_renew_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:347
+#: sssd-krb5.5.xml:350
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:352
+#: sssd-krb5.5.xml:355
 msgid "If this option is not set or 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:362
+#: sssd-krb5.5.xml:365
 msgid "krb5_use_fast (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:365
+#: sssd-krb5.5.xml:368
 msgid ""
 "Enables flexible authentication secure tunneling (FAST) for Kerberos "
 "pre-authentication. The following options are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:370
+#: sssd-krb5.5.xml:373
 msgid ""
 "<emphasis>never</emphasis> use FAST, this is equivalent to not set this "
 "option at all."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:374
+#: sssd-krb5.5.xml:377
 msgid ""
 "<emphasis>try</emphasis> to use FAST, if the server does not support fast "
 "continue without."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:378
+#: sssd-krb5.5.xml:381
 msgid ""
 "<emphasis>demand</emphasis> to use FAST, fail if the server does not require "
 "fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:382
+#: sssd-krb5.5.xml:385
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:385
+#: sssd-krb5.5.xml:388
 msgid "Please note that a keytab is required to use fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:388
+#: sssd-krb5.5.xml:391
 msgid ""
 "Please note also that sssd supports fast only with MIT Kerberos version 1.8 "
 "and above. If sssd used used with an older version using this option is a "
@@ -4467,7 +4514,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:407
+#: sssd-krb5.5.xml:410
 msgid ""
 "The following example assumes that SSSD is correctly configured and FOO is "
 "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
@@ -4476,7 +4523,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-krb5.5.xml:415
+#: sssd-krb5.5.xml:418
 #, no-wrap
 msgid ""
 "    [domain/FOO]\n"
@@ -4486,7 +4533,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:426
+#: sssd-krb5.5.xml:429
 msgid ""
 "<citerefentry> "
 "<refentrytitle>sssd.conf</refentrytitle><manvolnum>5</manvolnum> "
diff --git a/src/man/po/sv.po b/src/man/po/sv.po
index c8128a90..52238df4 100644
--- a/src/man/po/sv.po
+++ b/src/man/po/sv.po
@@ -2,12 +2,13 @@
 # Copyright (C) YEAR Red Hat
 # This file is distributed under the same license as the sssd-docs package.
 #
+# Translators:
 msgid ""
 msgstr ""
 "Project-Id-Version: SSSD\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2011-08-29 10:42-0300\n"
-"PO-Revision-Date: 2011-08-05 11:38+0000\n"
+"POT-Creation-Date: 2011-10-18 13:34-0300\n"
+"PO-Revision-Date: 2010-12-23 15:35+0000\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Swedish (http://www.transifex.net/projects/p/fedora/team/"
 "sv/)\n"
@@ -53,7 +54,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:41
+#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:44
 #: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21
 #: sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_useradd.8.xml:30
 #: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30
@@ -69,7 +70,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:39 pam_sss.8.xml:48 sssd.8.xml:42 sss_obfuscate.8.xml:58
+#: sss_groupmod.8.xml:39 pam_sss.8.xml:51 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
 msgid "OPTIONS"
@@ -105,10 +106,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1106 sssd-ldap.5.xml:1432
-#: pam_sss.8.xml:128 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
+#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1130 sssd-ldap.5.xml:1432
+#: pam_sss.8.xml:139 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
 #: sssd-ipa.5.xml:248 sssd.8.xml:166 sss_obfuscate.8.xml:103
-#: sss_useradd.8.xml:167 sssd-krb5.5.xml:424 sss_groupadd.8.xml:58
+#: sss_useradd.8.xml:167 sssd-krb5.5.xml:427 sss_groupadd.8.xml:58
 #: sss_userdel.8.xml:93 sss_groupdel.8.xml:46 sss_groupshow.8.xml:58
 #: sss_usermod.8.xml:138
 msgid "SEE ALSO"
@@ -214,7 +215,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:70 sssd.conf.5.xml:952
+#: sssd.conf.5.xml:70 sssd.conf.5.xml:976
 msgid "Section parameters"
 msgstr ""
 
@@ -247,19 +248,19 @@ msgid "Supported services: nss, pam"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:93 sssd.conf.5.xml:234
+#: sssd.conf.5.xml:93 sssd.conf.5.xml:254
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:96 sssd.conf.5.xml:237
+#: sssd.conf.5.xml:96 sssd.conf.5.xml:257
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:101 sssd.conf.5.xml:242
+#: sssd.conf.5.xml:101 sssd.conf.5.xml:262
 msgid "Default: 3"
 msgstr ""
 
@@ -366,6 +367,32 @@ msgid ""
 "unavailable. On these platforms, polling will always be used."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:189
+msgid "krb5_rcache_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:192
+msgid ""
+"Directory on the filesystem where SSSD should store Kerberos replay cache "
+"files."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:196
+msgid ""
+"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
+"SSSD to let libkrb5 decide the appropriate location for the replay cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:202
+msgid ""
+"Default: Distribution-specific and specified at build-time. "
+"(__LIBKRB5_DEFAULTS__ if not configured)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:63
 msgid ""
@@ -378,12 +405,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:195
+#: sssd.conf.5.xml:215
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:197
+#: sssd.conf.5.xml:217
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -392,55 +419,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:204
+#: sssd.conf.5.xml:224
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:206
+#: sssd.conf.5.xml:226
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:210
+#: sssd.conf.5.xml:230
 msgid "debug_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:213
+#: sssd.conf.5.xml:233
 msgid ""
 "Sets the debug level for the service. The value can be in range from 0 (only "
 "critical messages) to 10 (very verbose)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:218 sssd.conf.5.xml:312
+#: sssd.conf.5.xml:238 sssd.conf.5.xml:332
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:223 sssd.8.xml:58
+#: sssd.conf.5.xml:243 sssd.8.xml:58
 msgid "debug_timestamps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:226 sssd.8.xml:61
+#: sssd.conf.5.xml:246 sssd.8.xml:61
 msgid "Add a timestamp to the debug messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:229 sssd.conf.5.xml:353 sssd-ldap.5.xml:1058
+#: sssd.conf.5.xml:249 sssd.conf.5.xml:373 sssd-ldap.5.xml:1058
 #: sssd-ldap.5.xml:1163 sssd-ipa.5.xml:155
 msgid "Default: true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:247
+#: sssd.conf.5.xml:267
 msgid "command (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:250
+#: sssd.conf.5.xml:270
 msgid ""
 "By default, the executable representing this service is called <command>sssd_"
 "${service_name}</command>.  This directive allows to change the executable "
@@ -449,45 +476,45 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:258
+#: sssd.conf.5.xml:278
 msgid "Default: <command>sssd_${service_name}</command>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:266
+#: sssd.conf.5.xml:286
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:268
+#: sssd.conf.5.xml:288
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:273
+#: sssd.conf.5.xml:293
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:276
+#: sssd.conf.5.xml:296
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:280
+#: sssd.conf.5.xml:300
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:285
+#: sssd.conf.5.xml:305
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:288
+#: sssd.conf.5.xml:308
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -495,7 +522,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:294
+#: sssd.conf.5.xml:314
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -505,7 +532,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304
+#: sssd.conf.5.xml:324
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -514,12 +541,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:317
+#: sssd.conf.5.xml:337
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:320
+#: sssd.conf.5.xml:340
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -527,17 +554,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:326 sssd-krb5.5.xml:223
+#: sssd.conf.5.xml:346 sssd-krb5.5.xml:223
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:331
+#: sssd.conf.5.xml:351
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:334
+#: sssd.conf.5.xml:354
 msgid ""
 "Exclude certain users from being fetched from the sss NSS database. This is "
 "particularly useful for system accounts. This option can also be set per-"
@@ -546,78 +573,78 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:341
+#: sssd.conf.5.xml:361
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:346
+#: sssd.conf.5.xml:366
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:369
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:358
+#: sssd.conf.5.xml:378
 msgid "override_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:367 sssd-krb5.5.xml:166
+#: sssd.conf.5.xml:387 sssd-krb5.5.xml:166
 msgid "%u"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:368 sssd-krb5.5.xml:167
+#: sssd.conf.5.xml:388 sssd-krb5.5.xml:167
 msgid "login name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:371 sssd-krb5.5.xml:170
+#: sssd.conf.5.xml:391 sssd-krb5.5.xml:170
 msgid "%U"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:392
 msgid "UID number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:375 sssd-krb5.5.xml:188
+#: sssd.conf.5.xml:395 sssd-krb5.5.xml:188
 msgid "%d"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:376
+#: sssd.conf.5.xml:396
 msgid "domain name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:379
+#: sssd.conf.5.xml:399
 msgid "%f"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:380
+#: sssd.conf.5.xml:400
 msgid "fully qualified user name (user@domain)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:383 sssd-krb5.5.xml:200
+#: sssd.conf.5.xml:403 sssd-krb5.5.xml:200
 msgid "%%"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:384 sssd-krb5.5.xml:201
+#: sssd.conf.5.xml:404 sssd-krb5.5.xml:201
 msgid "a literal '%'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:361
+#: sssd.conf.5.xml:381
 msgid ""
 "Override the user's home directory. You can either provide an absolute value "
 "or a template. In the template, the following sequences are substituted: "
@@ -625,138 +652,138 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:390
+#: sssd.conf.5.xml:410
 msgid "This option can also be set per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:395
+#: sssd.conf.5.xml:415
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:398
+#: sssd.conf.5.xml:418
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:401
+#: sssd.conf.5.xml:421
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:405
+#: sssd.conf.5.xml:425
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:410
+#: sssd.conf.5.xml:430
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:415
+#: sssd.conf.5.xml:435
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:418
+#: sssd.conf.5.xml:438
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:422
+#: sssd.conf.5.xml:442
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:427
+#: sssd.conf.5.xml:447
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:430
+#: sssd.conf.5.xml:450
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:435
+#: sssd.conf.5.xml:455
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:438
+#: sssd.conf.5.xml:458
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:442
+#: sssd.conf.5.xml:462
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:469
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:451
+#: sssd.conf.5.xml:471
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:456
+#: sssd.conf.5.xml:476
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:459
+#: sssd.conf.5.xml:479
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:464 sssd.conf.5.xml:477
+#: sssd.conf.5.xml:484 sssd.conf.5.xml:497
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:490
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:473
+#: sssd.conf.5.xml:493
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:483
+#: sssd.conf.5.xml:503
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:506
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:491
+#: sssd.conf.5.xml:511
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -764,59 +791,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:497 sssd.conf.5.xml:550 sssd.conf.5.xml:882
+#: sssd.conf.5.xml:517 sssd.conf.5.xml:570 sssd.conf.5.xml:906
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:523
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:506
+#: sssd.conf.5.xml:526
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:511
+#: sssd.conf.5.xml:531
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:514
+#: sssd.conf.5.xml:534
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:517
+#: sssd.conf.5.xml:537
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:541
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:524
+#: sssd.conf.5.xml:544
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:528
+#: sssd.conf.5.xml:548
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:533
+#: sssd.conf.5.xml:553
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:536
+#: sssd.conf.5.xml:556
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -824,7 +851,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:542
+#: sssd.conf.5.xml:562
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -833,17 +860,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:556
+#: sssd.conf.5.xml:576
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:559
+#: sssd.conf.5.xml:579
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:562
+#: sssd.conf.5.xml:582
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -851,29 +878,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:588
 msgid "Default: 7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:577
+#: sssd.conf.5.xml:597
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:584
+#: sssd.conf.5.xml:604
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:587
+#: sssd.conf.5.xml:607
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:592
+#: sssd.conf.5.xml:612
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -882,56 +909,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:599
+#: sssd.conf.5.xml:619
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:625
 msgid "timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:608
+#: sssd.conf.5.xml:628
 msgid ""
 "Timeout in seconds between heartbeats for this domain.  This is used to "
 "ensure that the backend process is alive and capable of answering requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:633
 msgid "Default: 10"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:639
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:642
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:626
+#: sssd.conf.5.xml:646
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:629
+#: sssd.conf.5.xml:649
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:632 sssd.conf.5.xml:680 sssd.conf.5.xml:734
+#: sssd.conf.5.xml:652 sssd.conf.5.xml:704 sssd.conf.5.xml:758
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:635
+#: sssd.conf.5.xml:655
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -941,14 +968,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:645
+#: sssd.conf.5.xml:665
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:650
+#: sssd.conf.5.xml:670
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -957,39 +984,44 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:661
+#: sssd.conf.5.xml:681
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:664
+#: sssd.conf.5.xml:684
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:688
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:693
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676
+#: sssd.conf.5.xml:696
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:700
+msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:685
+#: sssd.conf.5.xml:709
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:688
+#: sssd.conf.5.xml:712
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -998,47 +1030,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:695
+#: sssd.conf.5.xml:719
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:725
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:728
 msgid "The Data Provider identity backend to use for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:708
+#: sssd.conf.5.xml:732
 msgid "Supported backends:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:711
+#: sssd.conf.5.xml:735
 msgid "proxy: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:714
+#: sssd.conf.5.xml:738
 msgid "local: SSSD internal local provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:717
+#: sssd.conf.5.xml:741
 msgid "ldap: LDAP provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:747
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:750
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -1047,19 +1079,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:739
+#: sssd.conf.5.xml:763
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:766
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:746
+#: sssd.conf.5.xml:770
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1067,7 +1099,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:777
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1075,30 +1107,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:784
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:787
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:766
+#: sssd.conf.5.xml:790
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:796
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:775
+#: sssd.conf.5.xml:799
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -1106,17 +1138,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:781
+#: sssd.conf.5.xml:805
 msgid "<quote>permit</quote> always allow access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:784
+#: sssd.conf.5.xml:808
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:811
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -1125,24 +1157,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:818
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:823
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:826
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:831
 msgid ""
 "<quote>ipa</quote> to change a password stored in an IPA server.  See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -1150,7 +1182,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:815
+#: sssd.conf.5.xml:839
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -1158,7 +1190,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:823
+#: sssd.conf.5.xml:847
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1166,72 +1198,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:831
+#: sssd.conf.5.xml:855
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:835
+#: sssd.conf.5.xml:859
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838
+#: sssd.conf.5.xml:862
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:845
+#: sssd.conf.5.xml:869
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:848
+#: sssd.conf.5.xml:872
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:876
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:855
+#: sssd.conf.5.xml:879
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:858
+#: sssd.conf.5.xml:882
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:861
+#: sssd.conf.5.xml:885
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:864
+#: sssd.conf.5.xml:888
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:867
+#: sssd.conf.5.xml:891
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:873
+#: sssd.conf.5.xml:897
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:876
+#: sssd.conf.5.xml:900
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -1239,34 +1271,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:912
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:891
+#: sssd.conf.5.xml:915
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:919
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:901
+#: sssd.conf.5.xml:925
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:904
+#: sssd.conf.5.xml:928
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:579
+#: sssd.conf.5.xml:599
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -1274,29 +1306,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:940
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:943
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:922
+#: sssd.conf.5.xml:946
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:954
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:933
+#: sssd.conf.5.xml:957
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -1304,19 +1336,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:912
+#: sssd.conf.5.xml:936
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:945
+#: sssd.conf.5.xml:969
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:971
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -1324,73 +1356,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:954
+#: sssd.conf.5.xml:978
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:981
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:985
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:966
+#: sssd.conf.5.xml:990
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:969
+#: sssd.conf.5.xml:993
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974
+#: sssd.conf.5.xml:998
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1003
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1006
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986 sssd.conf.5.xml:998
+#: sssd.conf.5.xml:1010 sssd.conf.5.xml:1022
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:991
+#: sssd.conf.5.xml:1015
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:994
+#: sssd.conf.5.xml:1018
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1003
+#: sssd.conf.5.xml:1027
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1030
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -1398,17 +1430,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014
+#: sssd.conf.5.xml:1038
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1043
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1022
+#: sssd.conf.5.xml:1046
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -1417,17 +1449,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:1056
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1037
+#: sssd.conf.5.xml:1061
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1040
+#: sssd.conf.5.xml:1064
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -1435,17 +1467,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1047
+#: sssd.conf.5.xml:1071
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1076
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1055
+#: sssd.conf.5.xml:1079
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -1453,18 +1485,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1061
+#: sssd.conf.5.xml:1085
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1071 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
-#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:405
+#: sssd.conf.5.xml:1095 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
+#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:408
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:1077
+#: sssd.conf.5.xml:1101
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -1494,7 +1526,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1073
+#: sssd.conf.5.xml:1097
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -1503,7 +1535,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1108
+#: sssd.conf.5.xml:1132
 msgid ""
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
@@ -1603,10 +1635,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:88
 msgid ""
-"Specifies the list of URIs of the LDAP servers to which SSSD should connect "
-"in the order of preference to change the password of a user. Refer to the "
-"<quote>FAILOVER</quote> section for more information on failover and server "
-"redundancy."
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference to change the password of a user. "
+"Refer to the <quote>FAILOVER</quote> section for more information on "
+"failover and server redundancy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -2086,7 +2118,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:519 sssd-ldap.5.xml:990 sssd-ipa.5.xml:115 sssd.8.xml:64
-#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:266
+#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:269
 msgid "Default: false"
 msgstr ""
 
@@ -2527,7 +2559,7 @@ msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:356
+#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:359
 msgid "Default: not set"
 msgstr ""
 
@@ -2668,12 +2700,13 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:1080 sssd-krb5.5.xml:77
 msgid ""
-"Specifies the list of IP addresses or hostnames of the Kerberos servers to "
-"which SSSD should connect in the order of preference. For more information "
-"on failover and server redundancy, see the <quote>FAILOVER</quote> section. "
-"An optional port number (preceded by a colon) may be appended to the "
-"addresses or hostnames.  If empty, service discovery is enabled - for more "
-"information, refer to the <quote>SERVICE DISCOVERY</quote> section."
+"Specifies the comma-separated list of IP addresses or hostnames of the "
+"Kerberos servers to which SSSD should connect in the order of preference. "
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
+"colon) may be appended to the addresses or hostnames.  If empty, service "
+"discovery is enabled - for more information, refer to the <quote>SERVICE "
+"DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -3058,7 +3091,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ldap.5.xml:1407 sssd-simple.5.xml:134 sssd-ipa.5.xml:238
-#: sssd-krb5.5.xml:414
+#: sssd-krb5.5.xml:417
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -3105,7 +3138,8 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
 #: pam_sss.8.xml:24
 msgid ""
-"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>forward_pass</"
+"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
@@ -3113,7 +3147,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:42
+#: pam_sss.8.xml:45
 msgid ""
 "<command>pam_sss.so</command> is the PAM interface to the System Security "
 "Services daemon (SSSD). Errors and results are logged through <command>syslog"
@@ -3121,24 +3155,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:52
+#: pam_sss.8.xml:55
+msgid "<option>quiet</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:58
+msgid "Suppress log messages for unknown users."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:63
 msgid "<option>forward_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:55
+#: pam_sss.8.xml:66
 msgid ""
 "If <option>forward_pass</option> is set the entered password is put on the "
 "stack for other PAM modules to use."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:62
+#: pam_sss.8.xml:73
 msgid "<option>use_first_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:65
+#: pam_sss.8.xml:76
 msgid ""
 "The argument use_first_pass forces the module to use a previous stacked "
 "modules password and will never prompt the user - if no password is "
@@ -3146,31 +3190,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:73
+#: pam_sss.8.xml:84
 msgid "<option>use_authtok</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:76
+#: pam_sss.8.xml:87
 msgid ""
 "When password changing enforce the module to set the new password to the one "
 "provided by a previously stacked password module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:83
+#: pam_sss.8.xml:94
 msgid "<option>retry=N</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:86
+#: pam_sss.8.xml:97
 msgid ""
 "If specified the user is asked another N times for a password if "
 "authentication fails. Default is 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:88
+#: pam_sss.8.xml:99
 msgid ""
 "Please note that this option might not work as expected if the application "
 "calling PAM handles the user dialog on its own. A typical example is "
@@ -3178,24 +3222,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:99
+#: pam_sss.8.xml:110
 msgid "MODULE TYPES PROVIDED"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:100
+#: pam_sss.8.xml:111
 msgid ""
 "All module types (<option>account</option>, <option>auth</option>, "
 "<option>password</option> and <option>session</option>) are provided."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:106
+#: pam_sss.8.xml:117
 msgid "FILES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:107
+#: pam_sss.8.xml:118
 msgid ""
 "If a password reset by root fails, because the corresponding SSSD provider "
 "does not support password resets, an individual message can be displayed. "
@@ -3203,7 +3247,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:112
+#: pam_sss.8.xml:123
 msgid ""
 "The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
 "filename> where LOC stands for a locale string returned by <citerefentry> "
@@ -3215,7 +3259,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:122
+#: pam_sss.8.xml:133
 msgid ""
 "These files are searched in the directory <filename>/etc/sssd/customize/"
 "DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
@@ -3223,7 +3267,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:130
+#: pam_sss.8.xml:141
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>8</"
 "manvolnum> </citerefentry>"
@@ -3483,11 +3527,11 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ipa.5.xml:83
 msgid ""
-"The list of IP addresses or hostnames of the IPA servers to which SSSD "
-"should connect in the order of preference. For more information on failover "
-"and server redundancy, see the <quote>FAILOVER</quote> section.  This is "
-"optional if autodiscovery is enabled.  For more information on service "
-"discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
+"The comma-separated list of IP addresses or hostnames of the IPA servers to "
+"which SSSD should connect in the order of preference. For more information "
+"on failover and server redundancy, see the <quote>FAILOVER</quote> section.  "
+"This is optional if autodiscovery is enabled.  For more information on "
+"service discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
@@ -4303,48 +4347,50 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:262
 msgid ""
-"Please note that this feature currently only available on a Linux platform."
+"Please note that this feature currently only available on a Linux platform. "
+"Passwords stored in this way are kept in plaintext in the kernel keyring and "
+"are potentially accessible by the root user (with difficulty)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:272
+#: sssd-krb5.5.xml:275
 msgid "krb5_renewable_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:275
+#: sssd-krb5.5.xml:278
 msgid ""
 "Request a renewable ticket with a total lifetime given by an integer "
 "immediately followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:280 sssd-krb5.5.xml:316
+#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
 msgid "<emphasis>s</emphasis> seconds"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
+#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
 msgid "<emphasis>m</emphasis> minutes"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
+#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
 msgid "<emphasis>h</emphasis> hours"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
+#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
 msgid "<emphasis>d</emphasis> days."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
+#: sssd-krb5.5.xml:295 sssd-krb5.5.xml:331
 msgid "If there is no delimiter <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:296
+#: sssd-krb5.5.xml:299
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "renewable lifetime to one and a half hours please use '90m' instead of "
@@ -4352,97 +4398,97 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:302
+#: sssd-krb5.5.xml:305
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:308
+#: sssd-krb5.5.xml:311
 msgid "krb5_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:311
+#: sssd-krb5.5.xml:314
 msgid ""
 "Request ticket with a with a lifetime given by an integer immediately "
 "followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:332
+#: sssd-krb5.5.xml:335
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "lifetime to one and a half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:337
+#: sssd-krb5.5.xml:340
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:344
+#: sssd-krb5.5.xml:347
 msgid "krb5_renew_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:347
+#: sssd-krb5.5.xml:350
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:352
+#: sssd-krb5.5.xml:355
 msgid "If this option is not set or 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:362
+#: sssd-krb5.5.xml:365
 msgid "krb5_use_fast (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:365
+#: sssd-krb5.5.xml:368
 msgid ""
 "Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
 "authentication. The following options are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:370
+#: sssd-krb5.5.xml:373
 msgid ""
 "<emphasis>never</emphasis> use FAST, this is equivalent to not set this "
 "option at all."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:374
+#: sssd-krb5.5.xml:377
 msgid ""
 "<emphasis>try</emphasis> to use FAST, if the server does not support fast "
 "continue without."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:378
+#: sssd-krb5.5.xml:381
 msgid ""
 "<emphasis>demand</emphasis> to use FAST, fail if the server does not require "
 "fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:382
+#: sssd-krb5.5.xml:385
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:385
+#: sssd-krb5.5.xml:388
 msgid "Please note that a keytab is required to use fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:388
+#: sssd-krb5.5.xml:391
 msgid ""
 "Please note also that sssd supports fast only with MIT Kerberos version 1.8 "
 "and above. If sssd used used with an older version using this option is a "
@@ -4460,7 +4506,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:407
+#: sssd-krb5.5.xml:410
 msgid ""
 "The following example assumes that SSSD is correctly configured and FOO is "
 "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
@@ -4469,7 +4515,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-krb5.5.xml:415
+#: sssd-krb5.5.xml:418
 #, no-wrap
 msgid ""
 "    [domain/FOO]\n"
@@ -4479,7 +4525,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:426
+#: sssd-krb5.5.xml:429
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
diff --git a/src/man/po/ta.po b/src/man/po/ta.po
index 71e10ea6..cd84cecb 100644
--- a/src/man/po/ta.po
+++ b/src/man/po/ta.po
@@ -6,7 +6,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: SSSD\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2011-08-29 10:42-0300\n"
+"POT-Creation-Date: 2011-10-18 13:34-0300\n"
 "PO-Revision-Date: 2011-08-05 11:39+0000\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Tamil <tamil-users@lists.fedoraproject.org>\n"
@@ -52,7 +52,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:41
+#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:44
 #: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21
 #: sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_useradd.8.xml:30
 #: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30
@@ -68,7 +68,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:39 pam_sss.8.xml:48 sssd.8.xml:42 sss_obfuscate.8.xml:58
+#: sss_groupmod.8.xml:39 pam_sss.8.xml:51 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
 msgid "OPTIONS"
@@ -104,10 +104,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1106 sssd-ldap.5.xml:1432
-#: pam_sss.8.xml:128 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
+#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1130 sssd-ldap.5.xml:1432
+#: pam_sss.8.xml:139 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
 #: sssd-ipa.5.xml:248 sssd.8.xml:166 sss_obfuscate.8.xml:103
-#: sss_useradd.8.xml:167 sssd-krb5.5.xml:424 sss_groupadd.8.xml:58
+#: sss_useradd.8.xml:167 sssd-krb5.5.xml:427 sss_groupadd.8.xml:58
 #: sss_userdel.8.xml:93 sss_groupdel.8.xml:46 sss_groupshow.8.xml:58
 #: sss_usermod.8.xml:138
 msgid "SEE ALSO"
@@ -213,7 +213,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:70 sssd.conf.5.xml:952
+#: sssd.conf.5.xml:70 sssd.conf.5.xml:976
 msgid "Section parameters"
 msgstr ""
 
@@ -246,19 +246,19 @@ msgid "Supported services: nss, pam"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:93 sssd.conf.5.xml:234
+#: sssd.conf.5.xml:93 sssd.conf.5.xml:254
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:96 sssd.conf.5.xml:237
+#: sssd.conf.5.xml:96 sssd.conf.5.xml:257
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:101 sssd.conf.5.xml:242
+#: sssd.conf.5.xml:101 sssd.conf.5.xml:262
 msgid "Default: 3"
 msgstr ""
 
@@ -365,6 +365,32 @@ msgid ""
 "unavailable. On these platforms, polling will always be used."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:189
+msgid "krb5_rcache_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:192
+msgid ""
+"Directory on the filesystem where SSSD should store Kerberos replay cache "
+"files."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:196
+msgid ""
+"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
+"SSSD to let libkrb5 decide the appropriate location for the replay cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:202
+msgid ""
+"Default: Distribution-specific and specified at build-time. "
+"(__LIBKRB5_DEFAULTS__ if not configured)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:63
 msgid ""
@@ -377,12 +403,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:195
+#: sssd.conf.5.xml:215
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:197
+#: sssd.conf.5.xml:217
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -391,55 +417,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:204
+#: sssd.conf.5.xml:224
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:206
+#: sssd.conf.5.xml:226
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:210
+#: sssd.conf.5.xml:230
 msgid "debug_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:213
+#: sssd.conf.5.xml:233
 msgid ""
 "Sets the debug level for the service. The value can be in range from 0 (only "
 "critical messages) to 10 (very verbose)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:218 sssd.conf.5.xml:312
+#: sssd.conf.5.xml:238 sssd.conf.5.xml:332
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:223 sssd.8.xml:58
+#: sssd.conf.5.xml:243 sssd.8.xml:58
 msgid "debug_timestamps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:226 sssd.8.xml:61
+#: sssd.conf.5.xml:246 sssd.8.xml:61
 msgid "Add a timestamp to the debug messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:229 sssd.conf.5.xml:353 sssd-ldap.5.xml:1058
+#: sssd.conf.5.xml:249 sssd.conf.5.xml:373 sssd-ldap.5.xml:1058
 #: sssd-ldap.5.xml:1163 sssd-ipa.5.xml:155
 msgid "Default: true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:247
+#: sssd.conf.5.xml:267
 msgid "command (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:250
+#: sssd.conf.5.xml:270
 msgid ""
 "By default, the executable representing this service is called <command>sssd_"
 "${service_name}</command>.  This directive allows to change the executable "
@@ -448,45 +474,45 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:258
+#: sssd.conf.5.xml:278
 msgid "Default: <command>sssd_${service_name}</command>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:266
+#: sssd.conf.5.xml:286
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:268
+#: sssd.conf.5.xml:288
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:273
+#: sssd.conf.5.xml:293
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:276
+#: sssd.conf.5.xml:296
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:280
+#: sssd.conf.5.xml:300
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:285
+#: sssd.conf.5.xml:305
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:288
+#: sssd.conf.5.xml:308
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -494,7 +520,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:294
+#: sssd.conf.5.xml:314
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -504,7 +530,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304
+#: sssd.conf.5.xml:324
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -513,12 +539,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:317
+#: sssd.conf.5.xml:337
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:320
+#: sssd.conf.5.xml:340
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -526,17 +552,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:326 sssd-krb5.5.xml:223
+#: sssd.conf.5.xml:346 sssd-krb5.5.xml:223
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:331
+#: sssd.conf.5.xml:351
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:334
+#: sssd.conf.5.xml:354
 msgid ""
 "Exclude certain users from being fetched from the sss NSS database. This is "
 "particularly useful for system accounts. This option can also be set per-"
@@ -545,78 +571,78 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:341
+#: sssd.conf.5.xml:361
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:346
+#: sssd.conf.5.xml:366
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:369
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:358
+#: sssd.conf.5.xml:378
 msgid "override_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:367 sssd-krb5.5.xml:166
+#: sssd.conf.5.xml:387 sssd-krb5.5.xml:166
 msgid "%u"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:368 sssd-krb5.5.xml:167
+#: sssd.conf.5.xml:388 sssd-krb5.5.xml:167
 msgid "login name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:371 sssd-krb5.5.xml:170
+#: sssd.conf.5.xml:391 sssd-krb5.5.xml:170
 msgid "%U"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:392
 msgid "UID number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:375 sssd-krb5.5.xml:188
+#: sssd.conf.5.xml:395 sssd-krb5.5.xml:188
 msgid "%d"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:376
+#: sssd.conf.5.xml:396
 msgid "domain name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:379
+#: sssd.conf.5.xml:399
 msgid "%f"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:380
+#: sssd.conf.5.xml:400
 msgid "fully qualified user name (user@domain)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:383 sssd-krb5.5.xml:200
+#: sssd.conf.5.xml:403 sssd-krb5.5.xml:200
 msgid "%%"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:384 sssd-krb5.5.xml:201
+#: sssd.conf.5.xml:404 sssd-krb5.5.xml:201
 msgid "a literal '%'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:361
+#: sssd.conf.5.xml:381
 msgid ""
 "Override the user's home directory. You can either provide an absolute value "
 "or a template. In the template, the following sequences are substituted: "
@@ -624,138 +650,138 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:390
+#: sssd.conf.5.xml:410
 msgid "This option can also be set per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:395
+#: sssd.conf.5.xml:415
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:398
+#: sssd.conf.5.xml:418
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:401
+#: sssd.conf.5.xml:421
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:405
+#: sssd.conf.5.xml:425
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:410
+#: sssd.conf.5.xml:430
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:415
+#: sssd.conf.5.xml:435
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:418
+#: sssd.conf.5.xml:438
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:422
+#: sssd.conf.5.xml:442
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:427
+#: sssd.conf.5.xml:447
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:430
+#: sssd.conf.5.xml:450
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:435
+#: sssd.conf.5.xml:455
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:438
+#: sssd.conf.5.xml:458
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:442
+#: sssd.conf.5.xml:462
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:469
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:451
+#: sssd.conf.5.xml:471
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:456
+#: sssd.conf.5.xml:476
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:459
+#: sssd.conf.5.xml:479
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:464 sssd.conf.5.xml:477
+#: sssd.conf.5.xml:484 sssd.conf.5.xml:497
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:490
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:473
+#: sssd.conf.5.xml:493
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:483
+#: sssd.conf.5.xml:503
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:506
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:491
+#: sssd.conf.5.xml:511
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -763,59 +789,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:497 sssd.conf.5.xml:550 sssd.conf.5.xml:882
+#: sssd.conf.5.xml:517 sssd.conf.5.xml:570 sssd.conf.5.xml:906
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:523
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:506
+#: sssd.conf.5.xml:526
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:511
+#: sssd.conf.5.xml:531
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:514
+#: sssd.conf.5.xml:534
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:517
+#: sssd.conf.5.xml:537
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:541
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:524
+#: sssd.conf.5.xml:544
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:528
+#: sssd.conf.5.xml:548
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:533
+#: sssd.conf.5.xml:553
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:536
+#: sssd.conf.5.xml:556
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -823,7 +849,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:542
+#: sssd.conf.5.xml:562
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -832,17 +858,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:556
+#: sssd.conf.5.xml:576
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:559
+#: sssd.conf.5.xml:579
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:562
+#: sssd.conf.5.xml:582
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -850,29 +876,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:588
 msgid "Default: 7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:577
+#: sssd.conf.5.xml:597
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:584
+#: sssd.conf.5.xml:604
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:587
+#: sssd.conf.5.xml:607
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:592
+#: sssd.conf.5.xml:612
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -881,56 +907,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:599
+#: sssd.conf.5.xml:619
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:625
 msgid "timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:608
+#: sssd.conf.5.xml:628
 msgid ""
 "Timeout in seconds between heartbeats for this domain.  This is used to "
 "ensure that the backend process is alive and capable of answering requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:633
 msgid "Default: 10"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:639
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:642
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:626
+#: sssd.conf.5.xml:646
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:629
+#: sssd.conf.5.xml:649
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:632 sssd.conf.5.xml:680 sssd.conf.5.xml:734
+#: sssd.conf.5.xml:652 sssd.conf.5.xml:704 sssd.conf.5.xml:758
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:635
+#: sssd.conf.5.xml:655
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -940,14 +966,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:645
+#: sssd.conf.5.xml:665
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:650
+#: sssd.conf.5.xml:670
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -956,39 +982,44 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:661
+#: sssd.conf.5.xml:681
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:664
+#: sssd.conf.5.xml:684
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:688
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:693
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676
+#: sssd.conf.5.xml:696
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:700
+msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:685
+#: sssd.conf.5.xml:709
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:688
+#: sssd.conf.5.xml:712
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -997,47 +1028,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:695
+#: sssd.conf.5.xml:719
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:725
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:728
 msgid "The Data Provider identity backend to use for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:708
+#: sssd.conf.5.xml:732
 msgid "Supported backends:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:711
+#: sssd.conf.5.xml:735
 msgid "proxy: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:714
+#: sssd.conf.5.xml:738
 msgid "local: SSSD internal local provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:717
+#: sssd.conf.5.xml:741
 msgid "ldap: LDAP provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:747
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:750
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -1046,19 +1077,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:739
+#: sssd.conf.5.xml:763
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:766
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:746
+#: sssd.conf.5.xml:770
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1066,7 +1097,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:777
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1074,30 +1105,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:784
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:787
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:766
+#: sssd.conf.5.xml:790
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:796
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:775
+#: sssd.conf.5.xml:799
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -1105,17 +1136,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:781
+#: sssd.conf.5.xml:805
 msgid "<quote>permit</quote> always allow access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:784
+#: sssd.conf.5.xml:808
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:811
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -1124,24 +1155,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:818
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:823
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:826
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:831
 msgid ""
 "<quote>ipa</quote> to change a password stored in an IPA server.  See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -1149,7 +1180,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:815
+#: sssd.conf.5.xml:839
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -1157,7 +1188,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:823
+#: sssd.conf.5.xml:847
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1165,72 +1196,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:831
+#: sssd.conf.5.xml:855
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:835
+#: sssd.conf.5.xml:859
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838
+#: sssd.conf.5.xml:862
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:845
+#: sssd.conf.5.xml:869
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:848
+#: sssd.conf.5.xml:872
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:876
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:855
+#: sssd.conf.5.xml:879
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:858
+#: sssd.conf.5.xml:882
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:861
+#: sssd.conf.5.xml:885
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:864
+#: sssd.conf.5.xml:888
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:867
+#: sssd.conf.5.xml:891
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:873
+#: sssd.conf.5.xml:897
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:876
+#: sssd.conf.5.xml:900
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -1238,34 +1269,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:912
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:891
+#: sssd.conf.5.xml:915
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:919
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:901
+#: sssd.conf.5.xml:925
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:904
+#: sssd.conf.5.xml:928
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:579
+#: sssd.conf.5.xml:599
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -1273,29 +1304,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:940
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:943
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:922
+#: sssd.conf.5.xml:946
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:954
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:933
+#: sssd.conf.5.xml:957
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -1303,19 +1334,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:912
+#: sssd.conf.5.xml:936
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:945
+#: sssd.conf.5.xml:969
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:971
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -1323,73 +1354,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:954
+#: sssd.conf.5.xml:978
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:981
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:985
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:966
+#: sssd.conf.5.xml:990
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:969
+#: sssd.conf.5.xml:993
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974
+#: sssd.conf.5.xml:998
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1003
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1006
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986 sssd.conf.5.xml:998
+#: sssd.conf.5.xml:1010 sssd.conf.5.xml:1022
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:991
+#: sssd.conf.5.xml:1015
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:994
+#: sssd.conf.5.xml:1018
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1003
+#: sssd.conf.5.xml:1027
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1030
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -1397,17 +1428,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014
+#: sssd.conf.5.xml:1038
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1043
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1022
+#: sssd.conf.5.xml:1046
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -1416,17 +1447,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:1056
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1037
+#: sssd.conf.5.xml:1061
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1040
+#: sssd.conf.5.xml:1064
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -1434,17 +1465,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1047
+#: sssd.conf.5.xml:1071
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1076
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1055
+#: sssd.conf.5.xml:1079
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -1452,18 +1483,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1061
+#: sssd.conf.5.xml:1085
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1071 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
-#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:405
+#: sssd.conf.5.xml:1095 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
+#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:408
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:1077
+#: sssd.conf.5.xml:1101
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -1493,7 +1524,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1073
+#: sssd.conf.5.xml:1097
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -1502,7 +1533,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1108
+#: sssd.conf.5.xml:1132
 msgid ""
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
@@ -1602,10 +1633,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:88
 msgid ""
-"Specifies the list of URIs of the LDAP servers to which SSSD should connect "
-"in the order of preference to change the password of a user. Refer to the "
-"<quote>FAILOVER</quote> section for more information on failover and server "
-"redundancy."
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference to change the password of a user. "
+"Refer to the <quote>FAILOVER</quote> section for more information on "
+"failover and server redundancy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -2085,7 +2116,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:519 sssd-ldap.5.xml:990 sssd-ipa.5.xml:115 sssd.8.xml:64
-#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:266
+#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:269
 msgid "Default: false"
 msgstr ""
 
@@ -2526,7 +2557,7 @@ msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:356
+#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:359
 msgid "Default: not set"
 msgstr ""
 
@@ -2667,12 +2698,13 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:1080 sssd-krb5.5.xml:77
 msgid ""
-"Specifies the list of IP addresses or hostnames of the Kerberos servers to "
-"which SSSD should connect in the order of preference. For more information "
-"on failover and server redundancy, see the <quote>FAILOVER</quote> section. "
-"An optional port number (preceded by a colon) may be appended to the "
-"addresses or hostnames.  If empty, service discovery is enabled - for more "
-"information, refer to the <quote>SERVICE DISCOVERY</quote> section."
+"Specifies the comma-separated list of IP addresses or hostnames of the "
+"Kerberos servers to which SSSD should connect in the order of preference. "
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
+"colon) may be appended to the addresses or hostnames.  If empty, service "
+"discovery is enabled - for more information, refer to the <quote>SERVICE "
+"DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -3057,7 +3089,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ldap.5.xml:1407 sssd-simple.5.xml:134 sssd-ipa.5.xml:238
-#: sssd-krb5.5.xml:414
+#: sssd-krb5.5.xml:417
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -3104,7 +3136,8 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
 #: pam_sss.8.xml:24
 msgid ""
-"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>forward_pass</"
+"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
@@ -3112,7 +3145,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:42
+#: pam_sss.8.xml:45
 msgid ""
 "<command>pam_sss.so</command> is the PAM interface to the System Security "
 "Services daemon (SSSD). Errors and results are logged through <command>syslog"
@@ -3120,24 +3153,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:52
+#: pam_sss.8.xml:55
+msgid "<option>quiet</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:58
+msgid "Suppress log messages for unknown users."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:63
 msgid "<option>forward_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:55
+#: pam_sss.8.xml:66
 msgid ""
 "If <option>forward_pass</option> is set the entered password is put on the "
 "stack for other PAM modules to use."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:62
+#: pam_sss.8.xml:73
 msgid "<option>use_first_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:65
+#: pam_sss.8.xml:76
 msgid ""
 "The argument use_first_pass forces the module to use a previous stacked "
 "modules password and will never prompt the user - if no password is "
@@ -3145,31 +3188,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:73
+#: pam_sss.8.xml:84
 msgid "<option>use_authtok</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:76
+#: pam_sss.8.xml:87
 msgid ""
 "When password changing enforce the module to set the new password to the one "
 "provided by a previously stacked password module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:83
+#: pam_sss.8.xml:94
 msgid "<option>retry=N</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:86
+#: pam_sss.8.xml:97
 msgid ""
 "If specified the user is asked another N times for a password if "
 "authentication fails. Default is 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:88
+#: pam_sss.8.xml:99
 msgid ""
 "Please note that this option might not work as expected if the application "
 "calling PAM handles the user dialog on its own. A typical example is "
@@ -3177,24 +3220,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:99
+#: pam_sss.8.xml:110
 msgid "MODULE TYPES PROVIDED"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:100
+#: pam_sss.8.xml:111
 msgid ""
 "All module types (<option>account</option>, <option>auth</option>, "
 "<option>password</option> and <option>session</option>) are provided."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:106
+#: pam_sss.8.xml:117
 msgid "FILES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:107
+#: pam_sss.8.xml:118
 msgid ""
 "If a password reset by root fails, because the corresponding SSSD provider "
 "does not support password resets, an individual message can be displayed. "
@@ -3202,7 +3245,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:112
+#: pam_sss.8.xml:123
 msgid ""
 "The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
 "filename> where LOC stands for a locale string returned by <citerefentry> "
@@ -3214,7 +3257,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:122
+#: pam_sss.8.xml:133
 msgid ""
 "These files are searched in the directory <filename>/etc/sssd/customize/"
 "DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
@@ -3222,7 +3265,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:130
+#: pam_sss.8.xml:141
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>8</"
 "manvolnum> </citerefentry>"
@@ -3482,11 +3525,11 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ipa.5.xml:83
 msgid ""
-"The list of IP addresses or hostnames of the IPA servers to which SSSD "
-"should connect in the order of preference. For more information on failover "
-"and server redundancy, see the <quote>FAILOVER</quote> section.  This is "
-"optional if autodiscovery is enabled.  For more information on service "
-"discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
+"The comma-separated list of IP addresses or hostnames of the IPA servers to "
+"which SSSD should connect in the order of preference. For more information "
+"on failover and server redundancy, see the <quote>FAILOVER</quote> section.  "
+"This is optional if autodiscovery is enabled.  For more information on "
+"service discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
@@ -4302,48 +4345,50 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:262
 msgid ""
-"Please note that this feature currently only available on a Linux platform."
+"Please note that this feature currently only available on a Linux platform. "
+"Passwords stored in this way are kept in plaintext in the kernel keyring and "
+"are potentially accessible by the root user (with difficulty)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:272
+#: sssd-krb5.5.xml:275
 msgid "krb5_renewable_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:275
+#: sssd-krb5.5.xml:278
 msgid ""
 "Request a renewable ticket with a total lifetime given by an integer "
 "immediately followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:280 sssd-krb5.5.xml:316
+#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
 msgid "<emphasis>s</emphasis> seconds"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
+#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
 msgid "<emphasis>m</emphasis> minutes"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
+#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
 msgid "<emphasis>h</emphasis> hours"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
+#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
 msgid "<emphasis>d</emphasis> days."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
+#: sssd-krb5.5.xml:295 sssd-krb5.5.xml:331
 msgid "If there is no delimiter <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:296
+#: sssd-krb5.5.xml:299
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "renewable lifetime to one and a half hours please use '90m' instead of "
@@ -4351,97 +4396,97 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:302
+#: sssd-krb5.5.xml:305
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:308
+#: sssd-krb5.5.xml:311
 msgid "krb5_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:311
+#: sssd-krb5.5.xml:314
 msgid ""
 "Request ticket with a with a lifetime given by an integer immediately "
 "followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:332
+#: sssd-krb5.5.xml:335
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "lifetime to one and a half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:337
+#: sssd-krb5.5.xml:340
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:344
+#: sssd-krb5.5.xml:347
 msgid "krb5_renew_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:347
+#: sssd-krb5.5.xml:350
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:352
+#: sssd-krb5.5.xml:355
 msgid "If this option is not set or 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:362
+#: sssd-krb5.5.xml:365
 msgid "krb5_use_fast (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:365
+#: sssd-krb5.5.xml:368
 msgid ""
 "Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
 "authentication. The following options are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:370
+#: sssd-krb5.5.xml:373
 msgid ""
 "<emphasis>never</emphasis> use FAST, this is equivalent to not set this "
 "option at all."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:374
+#: sssd-krb5.5.xml:377
 msgid ""
 "<emphasis>try</emphasis> to use FAST, if the server does not support fast "
 "continue without."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:378
+#: sssd-krb5.5.xml:381
 msgid ""
 "<emphasis>demand</emphasis> to use FAST, fail if the server does not require "
 "fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:382
+#: sssd-krb5.5.xml:385
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:385
+#: sssd-krb5.5.xml:388
 msgid "Please note that a keytab is required to use fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:388
+#: sssd-krb5.5.xml:391
 msgid ""
 "Please note also that sssd supports fast only with MIT Kerberos version 1.8 "
 "and above. If sssd used used with an older version using this option is a "
@@ -4459,7 +4504,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:407
+#: sssd-krb5.5.xml:410
 msgid ""
 "The following example assumes that SSSD is correctly configured and FOO is "
 "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
@@ -4468,7 +4513,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-krb5.5.xml:415
+#: sssd-krb5.5.xml:418
 #, no-wrap
 msgid ""
 "    [domain/FOO]\n"
@@ -4478,7 +4523,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:426
+#: sssd-krb5.5.xml:429
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
diff --git a/src/man/po/ta_IN.po b/src/man/po/ta_IN.po
index 41dfb784..357177da 100644
--- a/src/man/po/ta_IN.po
+++ b/src/man/po/ta_IN.po
@@ -2,15 +2,15 @@
 # Copyright (C) YEAR Red Hat
 # This file is distributed under the same license as the sssd-docs package.
 #
+# Translators:
 msgid ""
 msgstr ""
 "Project-Id-Version: SSSD\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2011-08-29 10:42-0300\n"
-"PO-Revision-Date: 2011-08-05 11:37+0000\n"
+"POT-Creation-Date: 2011-10-18 13:34-0300\n"
+"PO-Revision-Date: 2010-12-23 15:35+0000\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
-"Language-Team: Tamil (India) (http://www.transifex.net/projects/p/fedora/"
-"team/ta_IN/)\n"
+"Language-Team: LANGUAGE <LL@li.org>\n"
 "Language: ta_IN\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
@@ -53,7 +53,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:41
+#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:44
 #: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21
 #: sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_useradd.8.xml:30
 #: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30
@@ -69,7 +69,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:39 pam_sss.8.xml:48 sssd.8.xml:42 sss_obfuscate.8.xml:58
+#: sss_groupmod.8.xml:39 pam_sss.8.xml:51 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
 msgid "OPTIONS"
@@ -105,10 +105,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1106 sssd-ldap.5.xml:1432
-#: pam_sss.8.xml:128 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
+#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1130 sssd-ldap.5.xml:1432
+#: pam_sss.8.xml:139 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
 #: sssd-ipa.5.xml:248 sssd.8.xml:166 sss_obfuscate.8.xml:103
-#: sss_useradd.8.xml:167 sssd-krb5.5.xml:424 sss_groupadd.8.xml:58
+#: sss_useradd.8.xml:167 sssd-krb5.5.xml:427 sss_groupadd.8.xml:58
 #: sss_userdel.8.xml:93 sss_groupdel.8.xml:46 sss_groupshow.8.xml:58
 #: sss_usermod.8.xml:138
 msgid "SEE ALSO"
@@ -214,7 +214,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:70 sssd.conf.5.xml:952
+#: sssd.conf.5.xml:70 sssd.conf.5.xml:976
 msgid "Section parameters"
 msgstr ""
 
@@ -247,19 +247,19 @@ msgid "Supported services: nss, pam"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:93 sssd.conf.5.xml:234
+#: sssd.conf.5.xml:93 sssd.conf.5.xml:254
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:96 sssd.conf.5.xml:237
+#: sssd.conf.5.xml:96 sssd.conf.5.xml:257
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:101 sssd.conf.5.xml:242
+#: sssd.conf.5.xml:101 sssd.conf.5.xml:262
 msgid "Default: 3"
 msgstr ""
 
@@ -366,6 +366,32 @@ msgid ""
 "unavailable. On these platforms, polling will always be used."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:189
+msgid "krb5_rcache_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:192
+msgid ""
+"Directory on the filesystem where SSSD should store Kerberos replay cache "
+"files."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:196
+msgid ""
+"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
+"SSSD to let libkrb5 decide the appropriate location for the replay cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:202
+msgid ""
+"Default: Distribution-specific and specified at build-time. "
+"(__LIBKRB5_DEFAULTS__ if not configured)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:63
 msgid ""
@@ -378,12 +404,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:195
+#: sssd.conf.5.xml:215
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:197
+#: sssd.conf.5.xml:217
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -392,55 +418,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:204
+#: sssd.conf.5.xml:224
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:206
+#: sssd.conf.5.xml:226
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:210
+#: sssd.conf.5.xml:230
 msgid "debug_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:213
+#: sssd.conf.5.xml:233
 msgid ""
 "Sets the debug level for the service. The value can be in range from 0 (only "
 "critical messages) to 10 (very verbose)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:218 sssd.conf.5.xml:312
+#: sssd.conf.5.xml:238 sssd.conf.5.xml:332
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:223 sssd.8.xml:58
+#: sssd.conf.5.xml:243 sssd.8.xml:58
 msgid "debug_timestamps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:226 sssd.8.xml:61
+#: sssd.conf.5.xml:246 sssd.8.xml:61
 msgid "Add a timestamp to the debug messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:229 sssd.conf.5.xml:353 sssd-ldap.5.xml:1058
+#: sssd.conf.5.xml:249 sssd.conf.5.xml:373 sssd-ldap.5.xml:1058
 #: sssd-ldap.5.xml:1163 sssd-ipa.5.xml:155
 msgid "Default: true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:247
+#: sssd.conf.5.xml:267
 msgid "command (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:250
+#: sssd.conf.5.xml:270
 msgid ""
 "By default, the executable representing this service is called <command>sssd_"
 "${service_name}</command>.  This directive allows to change the executable "
@@ -449,45 +475,45 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:258
+#: sssd.conf.5.xml:278
 msgid "Default: <command>sssd_${service_name}</command>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:266
+#: sssd.conf.5.xml:286
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:268
+#: sssd.conf.5.xml:288
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:273
+#: sssd.conf.5.xml:293
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:276
+#: sssd.conf.5.xml:296
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:280
+#: sssd.conf.5.xml:300
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:285
+#: sssd.conf.5.xml:305
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:288
+#: sssd.conf.5.xml:308
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -495,7 +521,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:294
+#: sssd.conf.5.xml:314
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -505,7 +531,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304
+#: sssd.conf.5.xml:324
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -514,12 +540,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:317
+#: sssd.conf.5.xml:337
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:320
+#: sssd.conf.5.xml:340
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -527,17 +553,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:326 sssd-krb5.5.xml:223
+#: sssd.conf.5.xml:346 sssd-krb5.5.xml:223
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:331
+#: sssd.conf.5.xml:351
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:334
+#: sssd.conf.5.xml:354
 msgid ""
 "Exclude certain users from being fetched from the sss NSS database. This is "
 "particularly useful for system accounts. This option can also be set per-"
@@ -546,78 +572,78 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:341
+#: sssd.conf.5.xml:361
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:346
+#: sssd.conf.5.xml:366
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:369
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:358
+#: sssd.conf.5.xml:378
 msgid "override_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:367 sssd-krb5.5.xml:166
+#: sssd.conf.5.xml:387 sssd-krb5.5.xml:166
 msgid "%u"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:368 sssd-krb5.5.xml:167
+#: sssd.conf.5.xml:388 sssd-krb5.5.xml:167
 msgid "login name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:371 sssd-krb5.5.xml:170
+#: sssd.conf.5.xml:391 sssd-krb5.5.xml:170
 msgid "%U"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:392
 msgid "UID number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:375 sssd-krb5.5.xml:188
+#: sssd.conf.5.xml:395 sssd-krb5.5.xml:188
 msgid "%d"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:376
+#: sssd.conf.5.xml:396
 msgid "domain name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:379
+#: sssd.conf.5.xml:399
 msgid "%f"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:380
+#: sssd.conf.5.xml:400
 msgid "fully qualified user name (user@domain)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:383 sssd-krb5.5.xml:200
+#: sssd.conf.5.xml:403 sssd-krb5.5.xml:200
 msgid "%%"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:384 sssd-krb5.5.xml:201
+#: sssd.conf.5.xml:404 sssd-krb5.5.xml:201
 msgid "a literal '%'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:361
+#: sssd.conf.5.xml:381
 msgid ""
 "Override the user's home directory. You can either provide an absolute value "
 "or a template. In the template, the following sequences are substituted: "
@@ -625,138 +651,138 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:390
+#: sssd.conf.5.xml:410
 msgid "This option can also be set per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:395
+#: sssd.conf.5.xml:415
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:398
+#: sssd.conf.5.xml:418
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:401
+#: sssd.conf.5.xml:421
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:405
+#: sssd.conf.5.xml:425
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:410
+#: sssd.conf.5.xml:430
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:415
+#: sssd.conf.5.xml:435
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:418
+#: sssd.conf.5.xml:438
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:422
+#: sssd.conf.5.xml:442
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:427
+#: sssd.conf.5.xml:447
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:430
+#: sssd.conf.5.xml:450
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:435
+#: sssd.conf.5.xml:455
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:438
+#: sssd.conf.5.xml:458
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:442
+#: sssd.conf.5.xml:462
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:469
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:451
+#: sssd.conf.5.xml:471
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:456
+#: sssd.conf.5.xml:476
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:459
+#: sssd.conf.5.xml:479
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:464 sssd.conf.5.xml:477
+#: sssd.conf.5.xml:484 sssd.conf.5.xml:497
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:490
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:473
+#: sssd.conf.5.xml:493
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:483
+#: sssd.conf.5.xml:503
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:506
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:491
+#: sssd.conf.5.xml:511
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -764,59 +790,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:497 sssd.conf.5.xml:550 sssd.conf.5.xml:882
+#: sssd.conf.5.xml:517 sssd.conf.5.xml:570 sssd.conf.5.xml:906
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:523
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:506
+#: sssd.conf.5.xml:526
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:511
+#: sssd.conf.5.xml:531
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:514
+#: sssd.conf.5.xml:534
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:517
+#: sssd.conf.5.xml:537
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:541
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:524
+#: sssd.conf.5.xml:544
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:528
+#: sssd.conf.5.xml:548
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:533
+#: sssd.conf.5.xml:553
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:536
+#: sssd.conf.5.xml:556
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -824,7 +850,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:542
+#: sssd.conf.5.xml:562
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -833,17 +859,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:556
+#: sssd.conf.5.xml:576
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:559
+#: sssd.conf.5.xml:579
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:562
+#: sssd.conf.5.xml:582
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -851,29 +877,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:588
 msgid "Default: 7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:577
+#: sssd.conf.5.xml:597
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:584
+#: sssd.conf.5.xml:604
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:587
+#: sssd.conf.5.xml:607
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:592
+#: sssd.conf.5.xml:612
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -882,56 +908,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:599
+#: sssd.conf.5.xml:619
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:625
 msgid "timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:608
+#: sssd.conf.5.xml:628
 msgid ""
 "Timeout in seconds between heartbeats for this domain.  This is used to "
 "ensure that the backend process is alive and capable of answering requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:633
 msgid "Default: 10"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:639
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:642
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:626
+#: sssd.conf.5.xml:646
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:629
+#: sssd.conf.5.xml:649
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:632 sssd.conf.5.xml:680 sssd.conf.5.xml:734
+#: sssd.conf.5.xml:652 sssd.conf.5.xml:704 sssd.conf.5.xml:758
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:635
+#: sssd.conf.5.xml:655
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -941,14 +967,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:645
+#: sssd.conf.5.xml:665
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:650
+#: sssd.conf.5.xml:670
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -957,39 +983,44 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:661
+#: sssd.conf.5.xml:681
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:664
+#: sssd.conf.5.xml:684
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:688
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:693
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676
+#: sssd.conf.5.xml:696
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:700
+msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:685
+#: sssd.conf.5.xml:709
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:688
+#: sssd.conf.5.xml:712
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -998,47 +1029,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:695
+#: sssd.conf.5.xml:719
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:725
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:728
 msgid "The Data Provider identity backend to use for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:708
+#: sssd.conf.5.xml:732
 msgid "Supported backends:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:711
+#: sssd.conf.5.xml:735
 msgid "proxy: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:714
+#: sssd.conf.5.xml:738
 msgid "local: SSSD internal local provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:717
+#: sssd.conf.5.xml:741
 msgid "ldap: LDAP provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:747
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:750
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -1047,19 +1078,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:739
+#: sssd.conf.5.xml:763
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:766
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:746
+#: sssd.conf.5.xml:770
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1067,7 +1098,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:777
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1075,30 +1106,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:784
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:787
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:766
+#: sssd.conf.5.xml:790
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:796
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:775
+#: sssd.conf.5.xml:799
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -1106,17 +1137,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:781
+#: sssd.conf.5.xml:805
 msgid "<quote>permit</quote> always allow access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:784
+#: sssd.conf.5.xml:808
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:811
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -1125,24 +1156,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:818
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:823
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:826
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:831
 msgid ""
 "<quote>ipa</quote> to change a password stored in an IPA server.  See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -1150,7 +1181,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:815
+#: sssd.conf.5.xml:839
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -1158,7 +1189,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:823
+#: sssd.conf.5.xml:847
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1166,72 +1197,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:831
+#: sssd.conf.5.xml:855
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:835
+#: sssd.conf.5.xml:859
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838
+#: sssd.conf.5.xml:862
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:845
+#: sssd.conf.5.xml:869
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:848
+#: sssd.conf.5.xml:872
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:876
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:855
+#: sssd.conf.5.xml:879
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:858
+#: sssd.conf.5.xml:882
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:861
+#: sssd.conf.5.xml:885
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:864
+#: sssd.conf.5.xml:888
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:867
+#: sssd.conf.5.xml:891
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:873
+#: sssd.conf.5.xml:897
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:876
+#: sssd.conf.5.xml:900
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -1239,34 +1270,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:912
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:891
+#: sssd.conf.5.xml:915
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:919
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:901
+#: sssd.conf.5.xml:925
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:904
+#: sssd.conf.5.xml:928
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:579
+#: sssd.conf.5.xml:599
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -1274,29 +1305,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:940
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:943
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:922
+#: sssd.conf.5.xml:946
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:954
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:933
+#: sssd.conf.5.xml:957
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -1304,19 +1335,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:912
+#: sssd.conf.5.xml:936
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:945
+#: sssd.conf.5.xml:969
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:971
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -1324,73 +1355,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:954
+#: sssd.conf.5.xml:978
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:981
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:985
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:966
+#: sssd.conf.5.xml:990
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:969
+#: sssd.conf.5.xml:993
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974
+#: sssd.conf.5.xml:998
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1003
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1006
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986 sssd.conf.5.xml:998
+#: sssd.conf.5.xml:1010 sssd.conf.5.xml:1022
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:991
+#: sssd.conf.5.xml:1015
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:994
+#: sssd.conf.5.xml:1018
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1003
+#: sssd.conf.5.xml:1027
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1030
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -1398,17 +1429,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014
+#: sssd.conf.5.xml:1038
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1043
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1022
+#: sssd.conf.5.xml:1046
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -1417,17 +1448,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:1056
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1037
+#: sssd.conf.5.xml:1061
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1040
+#: sssd.conf.5.xml:1064
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -1435,17 +1466,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1047
+#: sssd.conf.5.xml:1071
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1076
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1055
+#: sssd.conf.5.xml:1079
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -1453,18 +1484,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1061
+#: sssd.conf.5.xml:1085
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1071 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
-#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:405
+#: sssd.conf.5.xml:1095 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
+#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:408
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:1077
+#: sssd.conf.5.xml:1101
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -1494,7 +1525,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1073
+#: sssd.conf.5.xml:1097
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -1503,7 +1534,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1108
+#: sssd.conf.5.xml:1132
 msgid ""
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
@@ -1603,10 +1634,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:88
 msgid ""
-"Specifies the list of URIs of the LDAP servers to which SSSD should connect "
-"in the order of preference to change the password of a user. Refer to the "
-"<quote>FAILOVER</quote> section for more information on failover and server "
-"redundancy."
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference to change the password of a user. "
+"Refer to the <quote>FAILOVER</quote> section for more information on "
+"failover and server redundancy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -2086,7 +2117,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:519 sssd-ldap.5.xml:990 sssd-ipa.5.xml:115 sssd.8.xml:64
-#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:266
+#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:269
 msgid "Default: false"
 msgstr ""
 
@@ -2527,7 +2558,7 @@ msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:356
+#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:359
 msgid "Default: not set"
 msgstr ""
 
@@ -2668,12 +2699,13 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:1080 sssd-krb5.5.xml:77
 msgid ""
-"Specifies the list of IP addresses or hostnames of the Kerberos servers to "
-"which SSSD should connect in the order of preference. For more information "
-"on failover and server redundancy, see the <quote>FAILOVER</quote> section. "
-"An optional port number (preceded by a colon) may be appended to the "
-"addresses or hostnames.  If empty, service discovery is enabled - for more "
-"information, refer to the <quote>SERVICE DISCOVERY</quote> section."
+"Specifies the comma-separated list of IP addresses or hostnames of the "
+"Kerberos servers to which SSSD should connect in the order of preference. "
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
+"colon) may be appended to the addresses or hostnames.  If empty, service "
+"discovery is enabled - for more information, refer to the <quote>SERVICE "
+"DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -3058,7 +3090,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ldap.5.xml:1407 sssd-simple.5.xml:134 sssd-ipa.5.xml:238
-#: sssd-krb5.5.xml:414
+#: sssd-krb5.5.xml:417
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -3105,7 +3137,8 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
 #: pam_sss.8.xml:24
 msgid ""
-"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>forward_pass</"
+"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
@@ -3113,7 +3146,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:42
+#: pam_sss.8.xml:45
 msgid ""
 "<command>pam_sss.so</command> is the PAM interface to the System Security "
 "Services daemon (SSSD). Errors and results are logged through <command>syslog"
@@ -3121,24 +3154,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:52
+#: pam_sss.8.xml:55
+msgid "<option>quiet</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:58
+msgid "Suppress log messages for unknown users."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:63
 msgid "<option>forward_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:55
+#: pam_sss.8.xml:66
 msgid ""
 "If <option>forward_pass</option> is set the entered password is put on the "
 "stack for other PAM modules to use."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:62
+#: pam_sss.8.xml:73
 msgid "<option>use_first_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:65
+#: pam_sss.8.xml:76
 msgid ""
 "The argument use_first_pass forces the module to use a previous stacked "
 "modules password and will never prompt the user - if no password is "
@@ -3146,31 +3189,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:73
+#: pam_sss.8.xml:84
 msgid "<option>use_authtok</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:76
+#: pam_sss.8.xml:87
 msgid ""
 "When password changing enforce the module to set the new password to the one "
 "provided by a previously stacked password module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:83
+#: pam_sss.8.xml:94
 msgid "<option>retry=N</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:86
+#: pam_sss.8.xml:97
 msgid ""
 "If specified the user is asked another N times for a password if "
 "authentication fails. Default is 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:88
+#: pam_sss.8.xml:99
 msgid ""
 "Please note that this option might not work as expected if the application "
 "calling PAM handles the user dialog on its own. A typical example is "
@@ -3178,24 +3221,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:99
+#: pam_sss.8.xml:110
 msgid "MODULE TYPES PROVIDED"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:100
+#: pam_sss.8.xml:111
 msgid ""
 "All module types (<option>account</option>, <option>auth</option>, "
 "<option>password</option> and <option>session</option>) are provided."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:106
+#: pam_sss.8.xml:117
 msgid "FILES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:107
+#: pam_sss.8.xml:118
 msgid ""
 "If a password reset by root fails, because the corresponding SSSD provider "
 "does not support password resets, an individual message can be displayed. "
@@ -3203,7 +3246,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:112
+#: pam_sss.8.xml:123
 msgid ""
 "The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
 "filename> where LOC stands for a locale string returned by <citerefentry> "
@@ -3215,7 +3258,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:122
+#: pam_sss.8.xml:133
 msgid ""
 "These files are searched in the directory <filename>/etc/sssd/customize/"
 "DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
@@ -3223,7 +3266,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:130
+#: pam_sss.8.xml:141
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>8</"
 "manvolnum> </citerefentry>"
@@ -3483,11 +3526,11 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ipa.5.xml:83
 msgid ""
-"The list of IP addresses or hostnames of the IPA servers to which SSSD "
-"should connect in the order of preference. For more information on failover "
-"and server redundancy, see the <quote>FAILOVER</quote> section.  This is "
-"optional if autodiscovery is enabled.  For more information on service "
-"discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
+"The comma-separated list of IP addresses or hostnames of the IPA servers to "
+"which SSSD should connect in the order of preference. For more information "
+"on failover and server redundancy, see the <quote>FAILOVER</quote> section.  "
+"This is optional if autodiscovery is enabled.  For more information on "
+"service discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
@@ -4303,48 +4346,50 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:262
 msgid ""
-"Please note that this feature currently only available on a Linux platform."
+"Please note that this feature currently only available on a Linux platform. "
+"Passwords stored in this way are kept in plaintext in the kernel keyring and "
+"are potentially accessible by the root user (with difficulty)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:272
+#: sssd-krb5.5.xml:275
 msgid "krb5_renewable_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:275
+#: sssd-krb5.5.xml:278
 msgid ""
 "Request a renewable ticket with a total lifetime given by an integer "
 "immediately followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:280 sssd-krb5.5.xml:316
+#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
 msgid "<emphasis>s</emphasis> seconds"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
+#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
 msgid "<emphasis>m</emphasis> minutes"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
+#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
 msgid "<emphasis>h</emphasis> hours"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
+#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
 msgid "<emphasis>d</emphasis> days."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
+#: sssd-krb5.5.xml:295 sssd-krb5.5.xml:331
 msgid "If there is no delimiter <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:296
+#: sssd-krb5.5.xml:299
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "renewable lifetime to one and a half hours please use '90m' instead of "
@@ -4352,97 +4397,97 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:302
+#: sssd-krb5.5.xml:305
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:308
+#: sssd-krb5.5.xml:311
 msgid "krb5_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:311
+#: sssd-krb5.5.xml:314
 msgid ""
 "Request ticket with a with a lifetime given by an integer immediately "
 "followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:332
+#: sssd-krb5.5.xml:335
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "lifetime to one and a half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:337
+#: sssd-krb5.5.xml:340
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:344
+#: sssd-krb5.5.xml:347
 msgid "krb5_renew_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:347
+#: sssd-krb5.5.xml:350
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:352
+#: sssd-krb5.5.xml:355
 msgid "If this option is not set or 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:362
+#: sssd-krb5.5.xml:365
 msgid "krb5_use_fast (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:365
+#: sssd-krb5.5.xml:368
 msgid ""
 "Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
 "authentication. The following options are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:370
+#: sssd-krb5.5.xml:373
 msgid ""
 "<emphasis>never</emphasis> use FAST, this is equivalent to not set this "
 "option at all."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:374
+#: sssd-krb5.5.xml:377
 msgid ""
 "<emphasis>try</emphasis> to use FAST, if the server does not support fast "
 "continue without."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:378
+#: sssd-krb5.5.xml:381
 msgid ""
 "<emphasis>demand</emphasis> to use FAST, fail if the server does not require "
 "fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:382
+#: sssd-krb5.5.xml:385
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:385
+#: sssd-krb5.5.xml:388
 msgid "Please note that a keytab is required to use fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:388
+#: sssd-krb5.5.xml:391
 msgid ""
 "Please note also that sssd supports fast only with MIT Kerberos version 1.8 "
 "and above. If sssd used used with an older version using this option is a "
@@ -4460,7 +4505,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:407
+#: sssd-krb5.5.xml:410
 msgid ""
 "The following example assumes that SSSD is correctly configured and FOO is "
 "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
@@ -4469,7 +4514,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-krb5.5.xml:415
+#: sssd-krb5.5.xml:418
 #, no-wrap
 msgid ""
 "    [domain/FOO]\n"
@@ -4479,7 +4524,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:426
+#: sssd-krb5.5.xml:429
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
diff --git a/src/man/po/te.po b/src/man/po/te.po
index 542c26e7..341c5032 100644
--- a/src/man/po/te.po
+++ b/src/man/po/te.po
@@ -2,12 +2,13 @@
 # Copyright (C) YEAR Red Hat
 # This file is distributed under the same license as the sssd-docs package.
 #
+# Translators:
 msgid ""
 msgstr ""
 "Project-Id-Version: SSSD\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2011-08-29 10:42-0300\n"
-"PO-Revision-Date: 2011-08-05 11:38+0000\n"
+"POT-Creation-Date: 2011-10-18 13:34-0300\n"
+"PO-Revision-Date: 2010-12-23 15:35+0000\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Telugu (http://www.transifex.net/projects/p/fedora/team/te/)\n"
 "Language: te\n"
@@ -52,7 +53,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:41
+#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:44
 #: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21
 #: sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_useradd.8.xml:30
 #: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30
@@ -68,7 +69,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:39 pam_sss.8.xml:48 sssd.8.xml:42 sss_obfuscate.8.xml:58
+#: sss_groupmod.8.xml:39 pam_sss.8.xml:51 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
 msgid "OPTIONS"
@@ -104,10 +105,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1106 sssd-ldap.5.xml:1432
-#: pam_sss.8.xml:128 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
+#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1130 sssd-ldap.5.xml:1432
+#: pam_sss.8.xml:139 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
 #: sssd-ipa.5.xml:248 sssd.8.xml:166 sss_obfuscate.8.xml:103
-#: sss_useradd.8.xml:167 sssd-krb5.5.xml:424 sss_groupadd.8.xml:58
+#: sss_useradd.8.xml:167 sssd-krb5.5.xml:427 sss_groupadd.8.xml:58
 #: sss_userdel.8.xml:93 sss_groupdel.8.xml:46 sss_groupshow.8.xml:58
 #: sss_usermod.8.xml:138
 msgid "SEE ALSO"
@@ -213,7 +214,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:70 sssd.conf.5.xml:952
+#: sssd.conf.5.xml:70 sssd.conf.5.xml:976
 msgid "Section parameters"
 msgstr ""
 
@@ -246,19 +247,19 @@ msgid "Supported services: nss, pam"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:93 sssd.conf.5.xml:234
+#: sssd.conf.5.xml:93 sssd.conf.5.xml:254
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:96 sssd.conf.5.xml:237
+#: sssd.conf.5.xml:96 sssd.conf.5.xml:257
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:101 sssd.conf.5.xml:242
+#: sssd.conf.5.xml:101 sssd.conf.5.xml:262
 msgid "Default: 3"
 msgstr ""
 
@@ -365,6 +366,32 @@ msgid ""
 "unavailable. On these platforms, polling will always be used."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:189
+msgid "krb5_rcache_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:192
+msgid ""
+"Directory on the filesystem where SSSD should store Kerberos replay cache "
+"files."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:196
+msgid ""
+"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
+"SSSD to let libkrb5 decide the appropriate location for the replay cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:202
+msgid ""
+"Default: Distribution-specific and specified at build-time. "
+"(__LIBKRB5_DEFAULTS__ if not configured)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:63
 msgid ""
@@ -377,12 +404,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:195
+#: sssd.conf.5.xml:215
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:197
+#: sssd.conf.5.xml:217
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -391,55 +418,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:204
+#: sssd.conf.5.xml:224
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:206
+#: sssd.conf.5.xml:226
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:210
+#: sssd.conf.5.xml:230
 msgid "debug_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:213
+#: sssd.conf.5.xml:233
 msgid ""
 "Sets the debug level for the service. The value can be in range from 0 (only "
 "critical messages) to 10 (very verbose)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:218 sssd.conf.5.xml:312
+#: sssd.conf.5.xml:238 sssd.conf.5.xml:332
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:223 sssd.8.xml:58
+#: sssd.conf.5.xml:243 sssd.8.xml:58
 msgid "debug_timestamps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:226 sssd.8.xml:61
+#: sssd.conf.5.xml:246 sssd.8.xml:61
 msgid "Add a timestamp to the debug messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:229 sssd.conf.5.xml:353 sssd-ldap.5.xml:1058
+#: sssd.conf.5.xml:249 sssd.conf.5.xml:373 sssd-ldap.5.xml:1058
 #: sssd-ldap.5.xml:1163 sssd-ipa.5.xml:155
 msgid "Default: true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:247
+#: sssd.conf.5.xml:267
 msgid "command (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:250
+#: sssd.conf.5.xml:270
 msgid ""
 "By default, the executable representing this service is called <command>sssd_"
 "${service_name}</command>.  This directive allows to change the executable "
@@ -448,45 +475,45 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:258
+#: sssd.conf.5.xml:278
 msgid "Default: <command>sssd_${service_name}</command>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:266
+#: sssd.conf.5.xml:286
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:268
+#: sssd.conf.5.xml:288
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:273
+#: sssd.conf.5.xml:293
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:276
+#: sssd.conf.5.xml:296
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:280
+#: sssd.conf.5.xml:300
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:285
+#: sssd.conf.5.xml:305
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:288
+#: sssd.conf.5.xml:308
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -494,7 +521,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:294
+#: sssd.conf.5.xml:314
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -504,7 +531,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304
+#: sssd.conf.5.xml:324
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -513,12 +540,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:317
+#: sssd.conf.5.xml:337
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:320
+#: sssd.conf.5.xml:340
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -526,17 +553,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:326 sssd-krb5.5.xml:223
+#: sssd.conf.5.xml:346 sssd-krb5.5.xml:223
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:331
+#: sssd.conf.5.xml:351
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:334
+#: sssd.conf.5.xml:354
 msgid ""
 "Exclude certain users from being fetched from the sss NSS database. This is "
 "particularly useful for system accounts. This option can also be set per-"
@@ -545,78 +572,78 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:341
+#: sssd.conf.5.xml:361
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:346
+#: sssd.conf.5.xml:366
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:369
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:358
+#: sssd.conf.5.xml:378
 msgid "override_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:367 sssd-krb5.5.xml:166
+#: sssd.conf.5.xml:387 sssd-krb5.5.xml:166
 msgid "%u"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:368 sssd-krb5.5.xml:167
+#: sssd.conf.5.xml:388 sssd-krb5.5.xml:167
 msgid "login name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:371 sssd-krb5.5.xml:170
+#: sssd.conf.5.xml:391 sssd-krb5.5.xml:170
 msgid "%U"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:392
 msgid "UID number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:375 sssd-krb5.5.xml:188
+#: sssd.conf.5.xml:395 sssd-krb5.5.xml:188
 msgid "%d"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:376
+#: sssd.conf.5.xml:396
 msgid "domain name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:379
+#: sssd.conf.5.xml:399
 msgid "%f"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:380
+#: sssd.conf.5.xml:400
 msgid "fully qualified user name (user@domain)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:383 sssd-krb5.5.xml:200
+#: sssd.conf.5.xml:403 sssd-krb5.5.xml:200
 msgid "%%"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:384 sssd-krb5.5.xml:201
+#: sssd.conf.5.xml:404 sssd-krb5.5.xml:201
 msgid "a literal '%'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:361
+#: sssd.conf.5.xml:381
 msgid ""
 "Override the user's home directory. You can either provide an absolute value "
 "or a template. In the template, the following sequences are substituted: "
@@ -624,138 +651,138 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:390
+#: sssd.conf.5.xml:410
 msgid "This option can also be set per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:395
+#: sssd.conf.5.xml:415
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:398
+#: sssd.conf.5.xml:418
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:401
+#: sssd.conf.5.xml:421
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:405
+#: sssd.conf.5.xml:425
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:410
+#: sssd.conf.5.xml:430
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:415
+#: sssd.conf.5.xml:435
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:418
+#: sssd.conf.5.xml:438
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:422
+#: sssd.conf.5.xml:442
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:427
+#: sssd.conf.5.xml:447
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:430
+#: sssd.conf.5.xml:450
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:435
+#: sssd.conf.5.xml:455
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:438
+#: sssd.conf.5.xml:458
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:442
+#: sssd.conf.5.xml:462
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:469
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:451
+#: sssd.conf.5.xml:471
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:456
+#: sssd.conf.5.xml:476
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:459
+#: sssd.conf.5.xml:479
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:464 sssd.conf.5.xml:477
+#: sssd.conf.5.xml:484 sssd.conf.5.xml:497
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:490
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:473
+#: sssd.conf.5.xml:493
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:483
+#: sssd.conf.5.xml:503
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:506
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:491
+#: sssd.conf.5.xml:511
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -763,59 +790,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:497 sssd.conf.5.xml:550 sssd.conf.5.xml:882
+#: sssd.conf.5.xml:517 sssd.conf.5.xml:570 sssd.conf.5.xml:906
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:523
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:506
+#: sssd.conf.5.xml:526
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:511
+#: sssd.conf.5.xml:531
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:514
+#: sssd.conf.5.xml:534
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:517
+#: sssd.conf.5.xml:537
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:541
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:524
+#: sssd.conf.5.xml:544
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:528
+#: sssd.conf.5.xml:548
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:533
+#: sssd.conf.5.xml:553
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:536
+#: sssd.conf.5.xml:556
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -823,7 +850,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:542
+#: sssd.conf.5.xml:562
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -832,17 +859,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:556
+#: sssd.conf.5.xml:576
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:559
+#: sssd.conf.5.xml:579
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:562
+#: sssd.conf.5.xml:582
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -850,29 +877,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:588
 msgid "Default: 7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:577
+#: sssd.conf.5.xml:597
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:584
+#: sssd.conf.5.xml:604
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:587
+#: sssd.conf.5.xml:607
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:592
+#: sssd.conf.5.xml:612
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -881,56 +908,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:599
+#: sssd.conf.5.xml:619
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:625
 msgid "timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:608
+#: sssd.conf.5.xml:628
 msgid ""
 "Timeout in seconds between heartbeats for this domain.  This is used to "
 "ensure that the backend process is alive and capable of answering requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:633
 msgid "Default: 10"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:639
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:642
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:626
+#: sssd.conf.5.xml:646
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:629
+#: sssd.conf.5.xml:649
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:632 sssd.conf.5.xml:680 sssd.conf.5.xml:734
+#: sssd.conf.5.xml:652 sssd.conf.5.xml:704 sssd.conf.5.xml:758
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:635
+#: sssd.conf.5.xml:655
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -940,14 +967,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:645
+#: sssd.conf.5.xml:665
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:650
+#: sssd.conf.5.xml:670
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -956,39 +983,44 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:661
+#: sssd.conf.5.xml:681
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:664
+#: sssd.conf.5.xml:684
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:688
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:693
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676
+#: sssd.conf.5.xml:696
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:700
+msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:685
+#: sssd.conf.5.xml:709
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:688
+#: sssd.conf.5.xml:712
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -997,47 +1029,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:695
+#: sssd.conf.5.xml:719
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:725
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:728
 msgid "The Data Provider identity backend to use for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:708
+#: sssd.conf.5.xml:732
 msgid "Supported backends:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:711
+#: sssd.conf.5.xml:735
 msgid "proxy: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:714
+#: sssd.conf.5.xml:738
 msgid "local: SSSD internal local provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:717
+#: sssd.conf.5.xml:741
 msgid "ldap: LDAP provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:747
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:750
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -1046,19 +1078,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:739
+#: sssd.conf.5.xml:763
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:766
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:746
+#: sssd.conf.5.xml:770
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1066,7 +1098,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:777
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1074,30 +1106,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:784
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:787
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:766
+#: sssd.conf.5.xml:790
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:796
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:775
+#: sssd.conf.5.xml:799
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -1105,17 +1137,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:781
+#: sssd.conf.5.xml:805
 msgid "<quote>permit</quote> always allow access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:784
+#: sssd.conf.5.xml:808
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:811
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -1124,24 +1156,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:818
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:823
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:826
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:831
 msgid ""
 "<quote>ipa</quote> to change a password stored in an IPA server.  See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -1149,7 +1181,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:815
+#: sssd.conf.5.xml:839
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -1157,7 +1189,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:823
+#: sssd.conf.5.xml:847
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1165,72 +1197,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:831
+#: sssd.conf.5.xml:855
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:835
+#: sssd.conf.5.xml:859
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838
+#: sssd.conf.5.xml:862
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:845
+#: sssd.conf.5.xml:869
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:848
+#: sssd.conf.5.xml:872
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:876
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:855
+#: sssd.conf.5.xml:879
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:858
+#: sssd.conf.5.xml:882
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:861
+#: sssd.conf.5.xml:885
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:864
+#: sssd.conf.5.xml:888
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:867
+#: sssd.conf.5.xml:891
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:873
+#: sssd.conf.5.xml:897
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:876
+#: sssd.conf.5.xml:900
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -1238,34 +1270,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:912
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:891
+#: sssd.conf.5.xml:915
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:919
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:901
+#: sssd.conf.5.xml:925
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:904
+#: sssd.conf.5.xml:928
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:579
+#: sssd.conf.5.xml:599
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -1273,29 +1305,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:940
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:943
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:922
+#: sssd.conf.5.xml:946
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:954
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:933
+#: sssd.conf.5.xml:957
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -1303,19 +1335,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:912
+#: sssd.conf.5.xml:936
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:945
+#: sssd.conf.5.xml:969
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:971
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -1323,73 +1355,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:954
+#: sssd.conf.5.xml:978
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:981
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:985
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:966
+#: sssd.conf.5.xml:990
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:969
+#: sssd.conf.5.xml:993
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974
+#: sssd.conf.5.xml:998
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1003
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1006
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986 sssd.conf.5.xml:998
+#: sssd.conf.5.xml:1010 sssd.conf.5.xml:1022
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:991
+#: sssd.conf.5.xml:1015
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:994
+#: sssd.conf.5.xml:1018
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1003
+#: sssd.conf.5.xml:1027
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1030
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -1397,17 +1429,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014
+#: sssd.conf.5.xml:1038
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1043
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1022
+#: sssd.conf.5.xml:1046
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -1416,17 +1448,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:1056
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1037
+#: sssd.conf.5.xml:1061
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1040
+#: sssd.conf.5.xml:1064
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -1434,17 +1466,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1047
+#: sssd.conf.5.xml:1071
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1076
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1055
+#: sssd.conf.5.xml:1079
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -1452,18 +1484,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1061
+#: sssd.conf.5.xml:1085
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1071 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
-#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:405
+#: sssd.conf.5.xml:1095 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
+#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:408
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:1077
+#: sssd.conf.5.xml:1101
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -1493,7 +1525,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1073
+#: sssd.conf.5.xml:1097
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -1502,7 +1534,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1108
+#: sssd.conf.5.xml:1132
 msgid ""
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
@@ -1602,10 +1634,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:88
 msgid ""
-"Specifies the list of URIs of the LDAP servers to which SSSD should connect "
-"in the order of preference to change the password of a user. Refer to the "
-"<quote>FAILOVER</quote> section for more information on failover and server "
-"redundancy."
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference to change the password of a user. "
+"Refer to the <quote>FAILOVER</quote> section for more information on "
+"failover and server redundancy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -2085,7 +2117,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:519 sssd-ldap.5.xml:990 sssd-ipa.5.xml:115 sssd.8.xml:64
-#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:266
+#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:269
 msgid "Default: false"
 msgstr ""
 
@@ -2526,7 +2558,7 @@ msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:356
+#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:359
 msgid "Default: not set"
 msgstr ""
 
@@ -2667,12 +2699,13 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:1080 sssd-krb5.5.xml:77
 msgid ""
-"Specifies the list of IP addresses or hostnames of the Kerberos servers to "
-"which SSSD should connect in the order of preference. For more information "
-"on failover and server redundancy, see the <quote>FAILOVER</quote> section. "
-"An optional port number (preceded by a colon) may be appended to the "
-"addresses or hostnames.  If empty, service discovery is enabled - for more "
-"information, refer to the <quote>SERVICE DISCOVERY</quote> section."
+"Specifies the comma-separated list of IP addresses or hostnames of the "
+"Kerberos servers to which SSSD should connect in the order of preference. "
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
+"colon) may be appended to the addresses or hostnames.  If empty, service "
+"discovery is enabled - for more information, refer to the <quote>SERVICE "
+"DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -3057,7 +3090,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ldap.5.xml:1407 sssd-simple.5.xml:134 sssd-ipa.5.xml:238
-#: sssd-krb5.5.xml:414
+#: sssd-krb5.5.xml:417
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -3104,7 +3137,8 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
 #: pam_sss.8.xml:24
 msgid ""
-"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>forward_pass</"
+"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
@@ -3112,7 +3146,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:42
+#: pam_sss.8.xml:45
 msgid ""
 "<command>pam_sss.so</command> is the PAM interface to the System Security "
 "Services daemon (SSSD). Errors and results are logged through <command>syslog"
@@ -3120,24 +3154,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:52
+#: pam_sss.8.xml:55
+msgid "<option>quiet</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:58
+msgid "Suppress log messages for unknown users."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:63
 msgid "<option>forward_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:55
+#: pam_sss.8.xml:66
 msgid ""
 "If <option>forward_pass</option> is set the entered password is put on the "
 "stack for other PAM modules to use."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:62
+#: pam_sss.8.xml:73
 msgid "<option>use_first_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:65
+#: pam_sss.8.xml:76
 msgid ""
 "The argument use_first_pass forces the module to use a previous stacked "
 "modules password and will never prompt the user - if no password is "
@@ -3145,31 +3189,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:73
+#: pam_sss.8.xml:84
 msgid "<option>use_authtok</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:76
+#: pam_sss.8.xml:87
 msgid ""
 "When password changing enforce the module to set the new password to the one "
 "provided by a previously stacked password module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:83
+#: pam_sss.8.xml:94
 msgid "<option>retry=N</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:86
+#: pam_sss.8.xml:97
 msgid ""
 "If specified the user is asked another N times for a password if "
 "authentication fails. Default is 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:88
+#: pam_sss.8.xml:99
 msgid ""
 "Please note that this option might not work as expected if the application "
 "calling PAM handles the user dialog on its own. A typical example is "
@@ -3177,24 +3221,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:99
+#: pam_sss.8.xml:110
 msgid "MODULE TYPES PROVIDED"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:100
+#: pam_sss.8.xml:111
 msgid ""
 "All module types (<option>account</option>, <option>auth</option>, "
 "<option>password</option> and <option>session</option>) are provided."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:106
+#: pam_sss.8.xml:117
 msgid "FILES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:107
+#: pam_sss.8.xml:118
 msgid ""
 "If a password reset by root fails, because the corresponding SSSD provider "
 "does not support password resets, an individual message can be displayed. "
@@ -3202,7 +3246,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:112
+#: pam_sss.8.xml:123
 msgid ""
 "The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
 "filename> where LOC stands for a locale string returned by <citerefentry> "
@@ -3214,7 +3258,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:122
+#: pam_sss.8.xml:133
 msgid ""
 "These files are searched in the directory <filename>/etc/sssd/customize/"
 "DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
@@ -3222,7 +3266,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:130
+#: pam_sss.8.xml:141
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>8</"
 "manvolnum> </citerefentry>"
@@ -3482,11 +3526,11 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ipa.5.xml:83
 msgid ""
-"The list of IP addresses or hostnames of the IPA servers to which SSSD "
-"should connect in the order of preference. For more information on failover "
-"and server redundancy, see the <quote>FAILOVER</quote> section.  This is "
-"optional if autodiscovery is enabled.  For more information on service "
-"discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
+"The comma-separated list of IP addresses or hostnames of the IPA servers to "
+"which SSSD should connect in the order of preference. For more information "
+"on failover and server redundancy, see the <quote>FAILOVER</quote> section.  "
+"This is optional if autodiscovery is enabled.  For more information on "
+"service discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
@@ -4302,48 +4346,50 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:262
 msgid ""
-"Please note that this feature currently only available on a Linux platform."
+"Please note that this feature currently only available on a Linux platform. "
+"Passwords stored in this way are kept in plaintext in the kernel keyring and "
+"are potentially accessible by the root user (with difficulty)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:272
+#: sssd-krb5.5.xml:275
 msgid "krb5_renewable_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:275
+#: sssd-krb5.5.xml:278
 msgid ""
 "Request a renewable ticket with a total lifetime given by an integer "
 "immediately followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:280 sssd-krb5.5.xml:316
+#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
 msgid "<emphasis>s</emphasis> seconds"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
+#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
 msgid "<emphasis>m</emphasis> minutes"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
+#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
 msgid "<emphasis>h</emphasis> hours"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
+#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
 msgid "<emphasis>d</emphasis> days."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
+#: sssd-krb5.5.xml:295 sssd-krb5.5.xml:331
 msgid "If there is no delimiter <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:296
+#: sssd-krb5.5.xml:299
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "renewable lifetime to one and a half hours please use '90m' instead of "
@@ -4351,97 +4397,97 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:302
+#: sssd-krb5.5.xml:305
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:308
+#: sssd-krb5.5.xml:311
 msgid "krb5_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:311
+#: sssd-krb5.5.xml:314
 msgid ""
 "Request ticket with a with a lifetime given by an integer immediately "
 "followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:332
+#: sssd-krb5.5.xml:335
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "lifetime to one and a half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:337
+#: sssd-krb5.5.xml:340
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:344
+#: sssd-krb5.5.xml:347
 msgid "krb5_renew_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:347
+#: sssd-krb5.5.xml:350
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:352
+#: sssd-krb5.5.xml:355
 msgid "If this option is not set or 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:362
+#: sssd-krb5.5.xml:365
 msgid "krb5_use_fast (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:365
+#: sssd-krb5.5.xml:368
 msgid ""
 "Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
 "authentication. The following options are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:370
+#: sssd-krb5.5.xml:373
 msgid ""
 "<emphasis>never</emphasis> use FAST, this is equivalent to not set this "
 "option at all."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:374
+#: sssd-krb5.5.xml:377
 msgid ""
 "<emphasis>try</emphasis> to use FAST, if the server does not support fast "
 "continue without."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:378
+#: sssd-krb5.5.xml:381
 msgid ""
 "<emphasis>demand</emphasis> to use FAST, fail if the server does not require "
 "fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:382
+#: sssd-krb5.5.xml:385
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:385
+#: sssd-krb5.5.xml:388
 msgid "Please note that a keytab is required to use fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:388
+#: sssd-krb5.5.xml:391
 msgid ""
 "Please note also that sssd supports fast only with MIT Kerberos version 1.8 "
 "and above. If sssd used used with an older version using this option is a "
@@ -4459,7 +4505,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:407
+#: sssd-krb5.5.xml:410
 msgid ""
 "The following example assumes that SSSD is correctly configured and FOO is "
 "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
@@ -4468,7 +4514,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-krb5.5.xml:415
+#: sssd-krb5.5.xml:418
 #, no-wrap
 msgid ""
 "    [domain/FOO]\n"
@@ -4478,7 +4524,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:426
+#: sssd-krb5.5.xml:429
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
diff --git a/src/man/po/tr.po b/src/man/po/tr.po
index 81520a4d..f81782ab 100644
--- a/src/man/po/tr.po
+++ b/src/man/po/tr.po
@@ -6,7 +6,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: SSSD\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2011-08-29 10:42-0300\n"
+"POT-Creation-Date: 2011-10-18 13:34-0300\n"
 "PO-Revision-Date: 2011-08-05 11:38+0000\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Turkish (http://www.transifex.net/projects/p/fedora/team/"
@@ -53,7 +53,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:41
+#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:44
 #: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21
 #: sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_useradd.8.xml:30
 #: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30
@@ -69,7 +69,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:39 pam_sss.8.xml:48 sssd.8.xml:42 sss_obfuscate.8.xml:58
+#: sss_groupmod.8.xml:39 pam_sss.8.xml:51 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
 msgid "OPTIONS"
@@ -105,10 +105,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1106 sssd-ldap.5.xml:1432
-#: pam_sss.8.xml:128 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
+#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1130 sssd-ldap.5.xml:1432
+#: pam_sss.8.xml:139 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
 #: sssd-ipa.5.xml:248 sssd.8.xml:166 sss_obfuscate.8.xml:103
-#: sss_useradd.8.xml:167 sssd-krb5.5.xml:424 sss_groupadd.8.xml:58
+#: sss_useradd.8.xml:167 sssd-krb5.5.xml:427 sss_groupadd.8.xml:58
 #: sss_userdel.8.xml:93 sss_groupdel.8.xml:46 sss_groupshow.8.xml:58
 #: sss_usermod.8.xml:138
 msgid "SEE ALSO"
@@ -214,7 +214,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:70 sssd.conf.5.xml:952
+#: sssd.conf.5.xml:70 sssd.conf.5.xml:976
 msgid "Section parameters"
 msgstr ""
 
@@ -247,19 +247,19 @@ msgid "Supported services: nss, pam"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:93 sssd.conf.5.xml:234
+#: sssd.conf.5.xml:93 sssd.conf.5.xml:254
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:96 sssd.conf.5.xml:237
+#: sssd.conf.5.xml:96 sssd.conf.5.xml:257
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:101 sssd.conf.5.xml:242
+#: sssd.conf.5.xml:101 sssd.conf.5.xml:262
 msgid "Default: 3"
 msgstr ""
 
@@ -366,6 +366,32 @@ msgid ""
 "unavailable. On these platforms, polling will always be used."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:189
+msgid "krb5_rcache_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:192
+msgid ""
+"Directory on the filesystem where SSSD should store Kerberos replay cache "
+"files."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:196
+msgid ""
+"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
+"SSSD to let libkrb5 decide the appropriate location for the replay cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:202
+msgid ""
+"Default: Distribution-specific and specified at build-time. "
+"(__LIBKRB5_DEFAULTS__ if not configured)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:63
 msgid ""
@@ -378,12 +404,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:195
+#: sssd.conf.5.xml:215
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:197
+#: sssd.conf.5.xml:217
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -392,55 +418,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:204
+#: sssd.conf.5.xml:224
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:206
+#: sssd.conf.5.xml:226
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:210
+#: sssd.conf.5.xml:230
 msgid "debug_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:213
+#: sssd.conf.5.xml:233
 msgid ""
 "Sets the debug level for the service. The value can be in range from 0 (only "
 "critical messages) to 10 (very verbose)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:218 sssd.conf.5.xml:312
+#: sssd.conf.5.xml:238 sssd.conf.5.xml:332
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:223 sssd.8.xml:58
+#: sssd.conf.5.xml:243 sssd.8.xml:58
 msgid "debug_timestamps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:226 sssd.8.xml:61
+#: sssd.conf.5.xml:246 sssd.8.xml:61
 msgid "Add a timestamp to the debug messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:229 sssd.conf.5.xml:353 sssd-ldap.5.xml:1058
+#: sssd.conf.5.xml:249 sssd.conf.5.xml:373 sssd-ldap.5.xml:1058
 #: sssd-ldap.5.xml:1163 sssd-ipa.5.xml:155
 msgid "Default: true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:247
+#: sssd.conf.5.xml:267
 msgid "command (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:250
+#: sssd.conf.5.xml:270
 msgid ""
 "By default, the executable representing this service is called <command>sssd_"
 "${service_name}</command>.  This directive allows to change the executable "
@@ -449,45 +475,45 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:258
+#: sssd.conf.5.xml:278
 msgid "Default: <command>sssd_${service_name}</command>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:266
+#: sssd.conf.5.xml:286
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:268
+#: sssd.conf.5.xml:288
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:273
+#: sssd.conf.5.xml:293
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:276
+#: sssd.conf.5.xml:296
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:280
+#: sssd.conf.5.xml:300
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:285
+#: sssd.conf.5.xml:305
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:288
+#: sssd.conf.5.xml:308
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -495,7 +521,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:294
+#: sssd.conf.5.xml:314
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -505,7 +531,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304
+#: sssd.conf.5.xml:324
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -514,12 +540,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:317
+#: sssd.conf.5.xml:337
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:320
+#: sssd.conf.5.xml:340
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -527,17 +553,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:326 sssd-krb5.5.xml:223
+#: sssd.conf.5.xml:346 sssd-krb5.5.xml:223
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:331
+#: sssd.conf.5.xml:351
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:334
+#: sssd.conf.5.xml:354
 msgid ""
 "Exclude certain users from being fetched from the sss NSS database. This is "
 "particularly useful for system accounts. This option can also be set per-"
@@ -546,78 +572,78 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:341
+#: sssd.conf.5.xml:361
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:346
+#: sssd.conf.5.xml:366
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:369
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:358
+#: sssd.conf.5.xml:378
 msgid "override_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:367 sssd-krb5.5.xml:166
+#: sssd.conf.5.xml:387 sssd-krb5.5.xml:166
 msgid "%u"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:368 sssd-krb5.5.xml:167
+#: sssd.conf.5.xml:388 sssd-krb5.5.xml:167
 msgid "login name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:371 sssd-krb5.5.xml:170
+#: sssd.conf.5.xml:391 sssd-krb5.5.xml:170
 msgid "%U"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:392
 msgid "UID number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:375 sssd-krb5.5.xml:188
+#: sssd.conf.5.xml:395 sssd-krb5.5.xml:188
 msgid "%d"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:376
+#: sssd.conf.5.xml:396
 msgid "domain name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:379
+#: sssd.conf.5.xml:399
 msgid "%f"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:380
+#: sssd.conf.5.xml:400
 msgid "fully qualified user name (user@domain)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:383 sssd-krb5.5.xml:200
+#: sssd.conf.5.xml:403 sssd-krb5.5.xml:200
 msgid "%%"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:384 sssd-krb5.5.xml:201
+#: sssd.conf.5.xml:404 sssd-krb5.5.xml:201
 msgid "a literal '%'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:361
+#: sssd.conf.5.xml:381
 msgid ""
 "Override the user's home directory. You can either provide an absolute value "
 "or a template. In the template, the following sequences are substituted: "
@@ -625,138 +651,138 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:390
+#: sssd.conf.5.xml:410
 msgid "This option can also be set per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:395
+#: sssd.conf.5.xml:415
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:398
+#: sssd.conf.5.xml:418
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:401
+#: sssd.conf.5.xml:421
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:405
+#: sssd.conf.5.xml:425
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:410
+#: sssd.conf.5.xml:430
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:415
+#: sssd.conf.5.xml:435
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:418
+#: sssd.conf.5.xml:438
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:422
+#: sssd.conf.5.xml:442
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:427
+#: sssd.conf.5.xml:447
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:430
+#: sssd.conf.5.xml:450
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:435
+#: sssd.conf.5.xml:455
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:438
+#: sssd.conf.5.xml:458
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:442
+#: sssd.conf.5.xml:462
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:469
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:451
+#: sssd.conf.5.xml:471
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:456
+#: sssd.conf.5.xml:476
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:459
+#: sssd.conf.5.xml:479
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:464 sssd.conf.5.xml:477
+#: sssd.conf.5.xml:484 sssd.conf.5.xml:497
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:490
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:473
+#: sssd.conf.5.xml:493
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:483
+#: sssd.conf.5.xml:503
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:506
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:491
+#: sssd.conf.5.xml:511
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -764,59 +790,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:497 sssd.conf.5.xml:550 sssd.conf.5.xml:882
+#: sssd.conf.5.xml:517 sssd.conf.5.xml:570 sssd.conf.5.xml:906
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:523
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:506
+#: sssd.conf.5.xml:526
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:511
+#: sssd.conf.5.xml:531
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:514
+#: sssd.conf.5.xml:534
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:517
+#: sssd.conf.5.xml:537
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:541
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:524
+#: sssd.conf.5.xml:544
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:528
+#: sssd.conf.5.xml:548
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:533
+#: sssd.conf.5.xml:553
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:536
+#: sssd.conf.5.xml:556
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -824,7 +850,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:542
+#: sssd.conf.5.xml:562
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -833,17 +859,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:556
+#: sssd.conf.5.xml:576
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:559
+#: sssd.conf.5.xml:579
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:562
+#: sssd.conf.5.xml:582
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -851,29 +877,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:588
 msgid "Default: 7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:577
+#: sssd.conf.5.xml:597
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:584
+#: sssd.conf.5.xml:604
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:587
+#: sssd.conf.5.xml:607
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:592
+#: sssd.conf.5.xml:612
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -882,56 +908,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:599
+#: sssd.conf.5.xml:619
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:625
 msgid "timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:608
+#: sssd.conf.5.xml:628
 msgid ""
 "Timeout in seconds between heartbeats for this domain.  This is used to "
 "ensure that the backend process is alive and capable of answering requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:633
 msgid "Default: 10"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:639
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:642
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:626
+#: sssd.conf.5.xml:646
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:629
+#: sssd.conf.5.xml:649
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:632 sssd.conf.5.xml:680 sssd.conf.5.xml:734
+#: sssd.conf.5.xml:652 sssd.conf.5.xml:704 sssd.conf.5.xml:758
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:635
+#: sssd.conf.5.xml:655
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -941,14 +967,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:645
+#: sssd.conf.5.xml:665
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:650
+#: sssd.conf.5.xml:670
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -957,39 +983,44 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:661
+#: sssd.conf.5.xml:681
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:664
+#: sssd.conf.5.xml:684
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:688
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:693
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676
+#: sssd.conf.5.xml:696
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:700
+msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:685
+#: sssd.conf.5.xml:709
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:688
+#: sssd.conf.5.xml:712
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -998,47 +1029,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:695
+#: sssd.conf.5.xml:719
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:725
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:728
 msgid "The Data Provider identity backend to use for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:708
+#: sssd.conf.5.xml:732
 msgid "Supported backends:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:711
+#: sssd.conf.5.xml:735
 msgid "proxy: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:714
+#: sssd.conf.5.xml:738
 msgid "local: SSSD internal local provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:717
+#: sssd.conf.5.xml:741
 msgid "ldap: LDAP provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:747
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:750
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -1047,19 +1078,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:739
+#: sssd.conf.5.xml:763
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:766
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:746
+#: sssd.conf.5.xml:770
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1067,7 +1098,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:777
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1075,30 +1106,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:784
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:787
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:766
+#: sssd.conf.5.xml:790
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:796
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:775
+#: sssd.conf.5.xml:799
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -1106,17 +1137,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:781
+#: sssd.conf.5.xml:805
 msgid "<quote>permit</quote> always allow access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:784
+#: sssd.conf.5.xml:808
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:811
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -1125,24 +1156,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:818
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:823
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:826
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:831
 msgid ""
 "<quote>ipa</quote> to change a password stored in an IPA server.  See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -1150,7 +1181,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:815
+#: sssd.conf.5.xml:839
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -1158,7 +1189,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:823
+#: sssd.conf.5.xml:847
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1166,72 +1197,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:831
+#: sssd.conf.5.xml:855
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:835
+#: sssd.conf.5.xml:859
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838
+#: sssd.conf.5.xml:862
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:845
+#: sssd.conf.5.xml:869
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:848
+#: sssd.conf.5.xml:872
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:876
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:855
+#: sssd.conf.5.xml:879
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:858
+#: sssd.conf.5.xml:882
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:861
+#: sssd.conf.5.xml:885
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:864
+#: sssd.conf.5.xml:888
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:867
+#: sssd.conf.5.xml:891
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:873
+#: sssd.conf.5.xml:897
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:876
+#: sssd.conf.5.xml:900
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -1239,34 +1270,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:912
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:891
+#: sssd.conf.5.xml:915
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:919
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:901
+#: sssd.conf.5.xml:925
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:904
+#: sssd.conf.5.xml:928
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:579
+#: sssd.conf.5.xml:599
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -1274,29 +1305,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:940
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:943
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:922
+#: sssd.conf.5.xml:946
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:954
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:933
+#: sssd.conf.5.xml:957
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -1304,19 +1335,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:912
+#: sssd.conf.5.xml:936
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:945
+#: sssd.conf.5.xml:969
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:971
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -1324,73 +1355,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:954
+#: sssd.conf.5.xml:978
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:981
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:985
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:966
+#: sssd.conf.5.xml:990
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:969
+#: sssd.conf.5.xml:993
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974
+#: sssd.conf.5.xml:998
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1003
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1006
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986 sssd.conf.5.xml:998
+#: sssd.conf.5.xml:1010 sssd.conf.5.xml:1022
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:991
+#: sssd.conf.5.xml:1015
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:994
+#: sssd.conf.5.xml:1018
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1003
+#: sssd.conf.5.xml:1027
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1030
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -1398,17 +1429,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014
+#: sssd.conf.5.xml:1038
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1043
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1022
+#: sssd.conf.5.xml:1046
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -1417,17 +1448,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:1056
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1037
+#: sssd.conf.5.xml:1061
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1040
+#: sssd.conf.5.xml:1064
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -1435,17 +1466,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1047
+#: sssd.conf.5.xml:1071
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1076
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1055
+#: sssd.conf.5.xml:1079
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -1453,18 +1484,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1061
+#: sssd.conf.5.xml:1085
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1071 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
-#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:405
+#: sssd.conf.5.xml:1095 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
+#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:408
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:1077
+#: sssd.conf.5.xml:1101
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -1494,7 +1525,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1073
+#: sssd.conf.5.xml:1097
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -1503,7 +1534,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1108
+#: sssd.conf.5.xml:1132
 msgid ""
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
@@ -1603,10 +1634,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:88
 msgid ""
-"Specifies the list of URIs of the LDAP servers to which SSSD should connect "
-"in the order of preference to change the password of a user. Refer to the "
-"<quote>FAILOVER</quote> section for more information on failover and server "
-"redundancy."
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference to change the password of a user. "
+"Refer to the <quote>FAILOVER</quote> section for more information on "
+"failover and server redundancy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -2086,7 +2117,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:519 sssd-ldap.5.xml:990 sssd-ipa.5.xml:115 sssd.8.xml:64
-#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:266
+#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:269
 msgid "Default: false"
 msgstr ""
 
@@ -2527,7 +2558,7 @@ msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:356
+#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:359
 msgid "Default: not set"
 msgstr ""
 
@@ -2668,12 +2699,13 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:1080 sssd-krb5.5.xml:77
 msgid ""
-"Specifies the list of IP addresses or hostnames of the Kerberos servers to "
-"which SSSD should connect in the order of preference. For more information "
-"on failover and server redundancy, see the <quote>FAILOVER</quote> section. "
-"An optional port number (preceded by a colon) may be appended to the "
-"addresses or hostnames.  If empty, service discovery is enabled - for more "
-"information, refer to the <quote>SERVICE DISCOVERY</quote> section."
+"Specifies the comma-separated list of IP addresses or hostnames of the "
+"Kerberos servers to which SSSD should connect in the order of preference. "
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
+"colon) may be appended to the addresses or hostnames.  If empty, service "
+"discovery is enabled - for more information, refer to the <quote>SERVICE "
+"DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -3058,7 +3090,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ldap.5.xml:1407 sssd-simple.5.xml:134 sssd-ipa.5.xml:238
-#: sssd-krb5.5.xml:414
+#: sssd-krb5.5.xml:417
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -3105,7 +3137,8 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
 #: pam_sss.8.xml:24
 msgid ""
-"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>forward_pass</"
+"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
@@ -3113,7 +3146,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:42
+#: pam_sss.8.xml:45
 msgid ""
 "<command>pam_sss.so</command> is the PAM interface to the System Security "
 "Services daemon (SSSD). Errors and results are logged through <command>syslog"
@@ -3121,24 +3154,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:52
+#: pam_sss.8.xml:55
+msgid "<option>quiet</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:58
+msgid "Suppress log messages for unknown users."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:63
 msgid "<option>forward_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:55
+#: pam_sss.8.xml:66
 msgid ""
 "If <option>forward_pass</option> is set the entered password is put on the "
 "stack for other PAM modules to use."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:62
+#: pam_sss.8.xml:73
 msgid "<option>use_first_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:65
+#: pam_sss.8.xml:76
 msgid ""
 "The argument use_first_pass forces the module to use a previous stacked "
 "modules password and will never prompt the user - if no password is "
@@ -3146,31 +3189,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:73
+#: pam_sss.8.xml:84
 msgid "<option>use_authtok</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:76
+#: pam_sss.8.xml:87
 msgid ""
 "When password changing enforce the module to set the new password to the one "
 "provided by a previously stacked password module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:83
+#: pam_sss.8.xml:94
 msgid "<option>retry=N</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:86
+#: pam_sss.8.xml:97
 msgid ""
 "If specified the user is asked another N times for a password if "
 "authentication fails. Default is 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:88
+#: pam_sss.8.xml:99
 msgid ""
 "Please note that this option might not work as expected if the application "
 "calling PAM handles the user dialog on its own. A typical example is "
@@ -3178,24 +3221,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:99
+#: pam_sss.8.xml:110
 msgid "MODULE TYPES PROVIDED"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:100
+#: pam_sss.8.xml:111
 msgid ""
 "All module types (<option>account</option>, <option>auth</option>, "
 "<option>password</option> and <option>session</option>) are provided."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:106
+#: pam_sss.8.xml:117
 msgid "FILES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:107
+#: pam_sss.8.xml:118
 msgid ""
 "If a password reset by root fails, because the corresponding SSSD provider "
 "does not support password resets, an individual message can be displayed. "
@@ -3203,7 +3246,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:112
+#: pam_sss.8.xml:123
 msgid ""
 "The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
 "filename> where LOC stands for a locale string returned by <citerefentry> "
@@ -3215,7 +3258,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:122
+#: pam_sss.8.xml:133
 msgid ""
 "These files are searched in the directory <filename>/etc/sssd/customize/"
 "DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
@@ -3223,7 +3266,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:130
+#: pam_sss.8.xml:141
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>8</"
 "manvolnum> </citerefentry>"
@@ -3483,11 +3526,11 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ipa.5.xml:83
 msgid ""
-"The list of IP addresses or hostnames of the IPA servers to which SSSD "
-"should connect in the order of preference. For more information on failover "
-"and server redundancy, see the <quote>FAILOVER</quote> section.  This is "
-"optional if autodiscovery is enabled.  For more information on service "
-"discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
+"The comma-separated list of IP addresses or hostnames of the IPA servers to "
+"which SSSD should connect in the order of preference. For more information "
+"on failover and server redundancy, see the <quote>FAILOVER</quote> section.  "
+"This is optional if autodiscovery is enabled.  For more information on "
+"service discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
@@ -4303,48 +4346,50 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:262
 msgid ""
-"Please note that this feature currently only available on a Linux platform."
+"Please note that this feature currently only available on a Linux platform. "
+"Passwords stored in this way are kept in plaintext in the kernel keyring and "
+"are potentially accessible by the root user (with difficulty)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:272
+#: sssd-krb5.5.xml:275
 msgid "krb5_renewable_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:275
+#: sssd-krb5.5.xml:278
 msgid ""
 "Request a renewable ticket with a total lifetime given by an integer "
 "immediately followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:280 sssd-krb5.5.xml:316
+#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
 msgid "<emphasis>s</emphasis> seconds"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
+#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
 msgid "<emphasis>m</emphasis> minutes"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
+#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
 msgid "<emphasis>h</emphasis> hours"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
+#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
 msgid "<emphasis>d</emphasis> days."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
+#: sssd-krb5.5.xml:295 sssd-krb5.5.xml:331
 msgid "If there is no delimiter <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:296
+#: sssd-krb5.5.xml:299
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "renewable lifetime to one and a half hours please use '90m' instead of "
@@ -4352,97 +4397,97 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:302
+#: sssd-krb5.5.xml:305
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:308
+#: sssd-krb5.5.xml:311
 msgid "krb5_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:311
+#: sssd-krb5.5.xml:314
 msgid ""
 "Request ticket with a with a lifetime given by an integer immediately "
 "followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:332
+#: sssd-krb5.5.xml:335
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "lifetime to one and a half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:337
+#: sssd-krb5.5.xml:340
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:344
+#: sssd-krb5.5.xml:347
 msgid "krb5_renew_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:347
+#: sssd-krb5.5.xml:350
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:352
+#: sssd-krb5.5.xml:355
 msgid "If this option is not set or 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:362
+#: sssd-krb5.5.xml:365
 msgid "krb5_use_fast (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:365
+#: sssd-krb5.5.xml:368
 msgid ""
 "Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
 "authentication. The following options are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:370
+#: sssd-krb5.5.xml:373
 msgid ""
 "<emphasis>never</emphasis> use FAST, this is equivalent to not set this "
 "option at all."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:374
+#: sssd-krb5.5.xml:377
 msgid ""
 "<emphasis>try</emphasis> to use FAST, if the server does not support fast "
 "continue without."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:378
+#: sssd-krb5.5.xml:381
 msgid ""
 "<emphasis>demand</emphasis> to use FAST, fail if the server does not require "
 "fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:382
+#: sssd-krb5.5.xml:385
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:385
+#: sssd-krb5.5.xml:388
 msgid "Please note that a keytab is required to use fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:388
+#: sssd-krb5.5.xml:391
 msgid ""
 "Please note also that sssd supports fast only with MIT Kerberos version 1.8 "
 "and above. If sssd used used with an older version using this option is a "
@@ -4460,7 +4505,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:407
+#: sssd-krb5.5.xml:410
 msgid ""
 "The following example assumes that SSSD is correctly configured and FOO is "
 "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
@@ -4469,7 +4514,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-krb5.5.xml:415
+#: sssd-krb5.5.xml:418
 #, no-wrap
 msgid ""
 "    [domain/FOO]\n"
@@ -4479,7 +4524,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:426
+#: sssd-krb5.5.xml:429
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
diff --git a/src/man/po/uk.po b/src/man/po/uk.po
index 8e5d514e..6db87179 100644
--- a/src/man/po/uk.po
+++ b/src/man/po/uk.po
@@ -6,7 +6,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: sssd-docs 1.5.0\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2011-08-29 10:42-0300\n"
+"POT-Creation-Date: 2011-10-18 13:34-0300\n"
 "PO-Revision-Date: 2011-01-25 20:56+0200\n"
 "Last-Translator: Yuri Chornoivan <yurchor@ukr.net>\n"
 "Language-Team: Ukrainian <translation@linux.org.ua>\n"
@@ -62,7 +62,7 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><title>
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:41
+#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:44
 #: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21
 #: sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_useradd.8.xml:30
 #: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30
@@ -82,7 +82,7 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><title>
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:39 pam_sss.8.xml:48 sssd.8.xml:42 sss_obfuscate.8.xml:58
+#: sss_groupmod.8.xml:39 pam_sss.8.xml:51 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
 msgid "OPTIONS"
@@ -132,10 +132,10 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><title>
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1106 sssd-ldap.5.xml:1432
-#: pam_sss.8.xml:128 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
+#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1130 sssd-ldap.5.xml:1432
+#: pam_sss.8.xml:139 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
 #: sssd-ipa.5.xml:248 sssd.8.xml:166 sss_obfuscate.8.xml:103
-#: sss_useradd.8.xml:167 sssd-krb5.5.xml:424 sss_groupadd.8.xml:58
+#: sss_useradd.8.xml:167 sssd-krb5.5.xml:427 sss_groupadd.8.xml:58
 #: sss_userdel.8.xml:93 sss_groupdel.8.xml:46 sss_groupshow.8.xml:58
 #: sss_usermod.8.xml:138
 msgid "SEE ALSO"
@@ -282,7 +282,7 @@ msgstr "Розділ [sssd]"
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:70 sssd.conf.5.xml:952
+#: sssd.conf.5.xml:70 sssd.conf.5.xml:976
 msgid "Section parameters"
 msgstr "Параметри розділу"
 
@@ -325,13 +325,13 @@ msgstr "Підтримувані служби: nss, pam"
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:93 sssd.conf.5.xml:234
+#: sssd.conf.5.xml:93 sssd.conf.5.xml:254
 msgid "reconnection_retries (integer)"
 msgstr "reconnection_retries (ціле число)"
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:96 sssd.conf.5.xml:237
+#: sssd.conf.5.xml:96 sssd.conf.5.xml:257
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
@@ -342,7 +342,7 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:101 sssd.conf.5.xml:242
+#: sssd.conf.5.xml:101 sssd.conf.5.xml:262
 msgid "Default: 3"
 msgstr "Типове значення: 3"
 
@@ -494,6 +494,35 @@ msgstr ""
 "недоступний. На цих платформах завжди використовуватиметься безпосереднє "
 "опитування файла."
 
+# type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:189
+#, fuzzy
+#| msgid "krb5_ccachedir (string)"
+msgid "krb5_rcache_dir (string)"
+msgstr "krb5_ccachedir (рядок)"
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:192
+msgid ""
+"Directory on the filesystem where SSSD should store Kerberos replay cache "
+"files."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:196
+msgid ""
+"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
+"SSSD to let libkrb5 decide the appropriate location for the replay cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:202
+msgid ""
+"Default: Distribution-specific and specified at build-time. "
+"(__LIBKRB5_DEFAULTS__ if not configured)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:63
 msgid ""
@@ -512,13 +541,13 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><title>
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:195
+#: sssd.conf.5.xml:215
 msgid "SERVICES SECTIONS"
 msgstr "РОЗДІЛИ СЛУЖБ"
 
 # type: Content of: <reference><refentry><refsect1><para>
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:197
+#: sssd.conf.5.xml:217
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -532,25 +561,25 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><title>
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:204
+#: sssd.conf.5.xml:224
 msgid "General service configuration options"
 msgstr "Загальні параметри налаштування служб"
 
 # type: Content of: <reference><refentry><refsect1><refsect2><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:206
+#: sssd.conf.5.xml:226
 msgid "These options can be used to configure any service."
 msgstr "Цими параметрами можна скористатися для налаштування будь-яких служб."
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:210
+#: sssd.conf.5.xml:230
 msgid "debug_level (integer)"
 msgstr "debug_level (ціле число)"
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:213
+#: sssd.conf.5.xml:233
 msgid ""
 "Sets the debug level for the service. The value can be in range from 0 (only "
 "critical messages) to 10 (very verbose)."
@@ -561,38 +590,38 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:218 sssd.conf.5.xml:312
+#: sssd.conf.5.xml:238 sssd.conf.5.xml:332
 msgid "Default: 0"
 msgstr "Типове значення: 0"
 
 # type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:223 sssd.8.xml:58
+#: sssd.conf.5.xml:243 sssd.8.xml:58
 msgid "debug_timestamps (bool)"
 msgstr "debug_timestamps (булеве значення)"
 
 # type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:226 sssd.8.xml:61
+#: sssd.conf.5.xml:246 sssd.8.xml:61
 msgid "Add a timestamp to the debug messages"
 msgstr "Додати часову позначку до діагностичних повідомлень."
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:229 sssd.conf.5.xml:353 sssd-ldap.5.xml:1058
+#: sssd.conf.5.xml:249 sssd.conf.5.xml:373 sssd-ldap.5.xml:1058
 #: sssd-ldap.5.xml:1163 sssd-ipa.5.xml:155
 msgid "Default: true"
 msgstr "Типове значення: true"
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:247
+#: sssd.conf.5.xml:267
 msgid "command (string)"
 msgstr "command (рядок)"
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:250
+#: sssd.conf.5.xml:270
 msgid ""
 "By default, the executable representing this service is called <command>sssd_"
 "${service_name}</command>.  This directive allows to change the executable "
@@ -605,19 +634,19 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:258
+#: sssd.conf.5.xml:278
 msgid "Default: <command>sssd_${service_name}</command>"
 msgstr "Типове значення: <command>sssd_${назва_служби}</command>"
 
 # type: Content of: <reference><refentry><refsect1><refsect2><title>
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:266
+#: sssd.conf.5.xml:286
 msgid "NSS configuration options"
 msgstr "Параметри налаштування NSS"
 
 # type: Content of: <reference><refentry><refsect1><refsect2><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:268
+#: sssd.conf.5.xml:288
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
@@ -626,13 +655,13 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:273
+#: sssd.conf.5.xml:293
 msgid "enum_cache_timeout (integer)"
 msgstr "enum_cache_timeout (ціле число)"
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:276
+#: sssd.conf.5.xml:296
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
@@ -642,19 +671,19 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:280
+#: sssd.conf.5.xml:300
 msgid "Default: 120"
 msgstr "Типове значення: 120"
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:285
+#: sssd.conf.5.xml:305
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr "entry_cache_nowait_percentage (ціле число)"
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:288
+#: sssd.conf.5.xml:308
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -663,7 +692,7 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:294
+#: sssd.conf.5.xml:314
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -674,7 +703,7 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304
+#: sssd.conf.5.xml:324
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -684,13 +713,13 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:317
+#: sssd.conf.5.xml:337
 msgid "entry_negative_timeout (integer)"
 msgstr "entry_negative_timeout (ціле число)"
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:320
+#: sssd.conf.5.xml:340
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -699,18 +728,18 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:326 sssd-krb5.5.xml:223
+#: sssd.conf.5.xml:346 sssd-krb5.5.xml:223
 msgid "Default: 15"
 msgstr "Типове значення: 15"
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:331
+#: sssd.conf.5.xml:351
 msgid "filter_users, filter_groups (string)"
 msgstr "filter_users, filter_groups (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:334
+#: sssd.conf.5.xml:354
 msgid ""
 "Exclude certain users from being fetched from the sss NSS database. This is "
 "particularly useful for system accounts. This option can also be set per-"
@@ -720,19 +749,19 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:341
+#: sssd.conf.5.xml:361
 msgid "Default: root"
 msgstr "Типове значення: root"
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:346
+#: sssd.conf.5.xml:366
 msgid "filter_users_in_groups (bool)"
 msgstr "filter_users_in_groups (булеве значення)"
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:369
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
@@ -741,7 +770,7 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:358
+#: sssd.conf.5.xml:378
 #, fuzzy
 #| msgid "userdel_cmd (string)"
 msgid "override_homedir (string)"
@@ -749,49 +778,49 @@ msgstr "userdel_cmd (рядок)"
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:367 sssd-krb5.5.xml:166
+#: sssd.conf.5.xml:387 sssd-krb5.5.xml:166
 msgid "%u"
 msgstr "%u"
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:368 sssd-krb5.5.xml:167
+#: sssd.conf.5.xml:388 sssd-krb5.5.xml:167
 msgid "login name"
 msgstr "ім'я користувача"
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:371 sssd-krb5.5.xml:170
+#: sssd.conf.5.xml:391 sssd-krb5.5.xml:170
 msgid "%U"
 msgstr "%U"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:392
 msgid "UID number"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:375 sssd-krb5.5.xml:188
+#: sssd.conf.5.xml:395 sssd-krb5.5.xml:188
 msgid "%d"
 msgstr "%d"
 
 # type: Content of: <refsect1><refsect2><title>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:376
+#: sssd.conf.5.xml:396
 #, fuzzy
 #| msgid "The domain name"
 msgid "domain name"
 msgstr "Назва домену"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:379
+#: sssd.conf.5.xml:399
 msgid "%f"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:380
+#: sssd.conf.5.xml:400
 #, fuzzy
 #| msgid "use_fully_qualified_names (bool)"
 msgid "fully qualified user name (user@domain)"
@@ -799,18 +828,18 @@ msgstr "use_fully_qualified_names (булеве значення)"
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:383 sssd-krb5.5.xml:200
+#: sssd.conf.5.xml:403 sssd-krb5.5.xml:200
 msgid "%%"
 msgstr "%%"
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:384 sssd-krb5.5.xml:201
+#: sssd.conf.5.xml:404 sssd-krb5.5.xml:201
 msgid "a literal '%'"
 msgstr "символ відсотків («%»)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:361
+#: sssd.conf.5.xml:381
 msgid ""
 "Override the user's home directory. You can either provide an absolute value "
 "or a template. In the template, the following sequences are substituted: "
@@ -818,57 +847,57 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:390
+#: sssd.conf.5.xml:410
 msgid "This option can also be set per-domain."
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:395
+#: sssd.conf.5.xml:415
 #, fuzzy
 #| msgid "default_shell (string)"
 msgid "allowed_shells (string)"
 msgstr "default_shell (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:398
+#: sssd.conf.5.xml:418
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:401
+#: sssd.conf.5.xml:421
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:405
+#: sssd.conf.5.xml:425
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:410
+#: sssd.conf.5.xml:430
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:415
+#: sssd.conf.5.xml:435
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:418
+#: sssd.conf.5.xml:438
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:422
+#: sssd.conf.5.xml:442
 #, fuzzy
 #| msgid "Default: not set, i.e. FAST is not used."
 msgid "Default: Not set. The user shell is automatically used."
@@ -876,34 +905,34 @@ msgstr "Типове значення: не встановлено, тобто F
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:427
+#: sssd.conf.5.xml:447
 #, fuzzy
 #| msgid "default_shell (string)"
 msgid "vetoed_shells (string)"
 msgstr "default_shell (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:430
+#: sssd.conf.5.xml:450
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:435
+#: sssd.conf.5.xml:455
 #, fuzzy
 #| msgid "userdel_cmd (string)"
 msgid "shell_fallback (string)"
 msgstr "userdel_cmd (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:438
+#: sssd.conf.5.xml:458
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:442
+#: sssd.conf.5.xml:462
 #, fuzzy
 #| msgid "Default: cn"
 msgid "Default: /bin/sh"
@@ -911,13 +940,13 @@ msgstr "Типове значення: cn"
 
 # type: Content of: <reference><refentry><refsect1><refsect2><title>
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:469
 msgid "PAM configuration options"
 msgstr "Параметри налаштування PAM"
 
 # type: Content of: <reference><refentry><refsect1><refsect2><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:451
+#: sssd.conf.5.xml:471
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
@@ -927,13 +956,13 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:456
+#: sssd.conf.5.xml:476
 msgid "offline_credentials_expiration (integer)"
 msgstr "offline_credentials_expiration (ціле число)"
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:459
+#: sssd.conf.5.xml:479
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
@@ -941,19 +970,19 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:464 sssd.conf.5.xml:477
+#: sssd.conf.5.xml:484 sssd.conf.5.xml:497
 msgid "Default: 0 (No limit)"
 msgstr "Типове значення: 0 (без обмежень)"
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:490
 msgid "offline_failed_login_attempts (integer)"
 msgstr "offline_failed_login_attempts (ціле число)"
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:473
+#: sssd.conf.5.xml:493
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
@@ -961,13 +990,13 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:483
+#: sssd.conf.5.xml:503
 msgid "offline_failed_login_delay (integer)"
 msgstr "offline_failed_login_delay (ціле число)"
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:506
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
@@ -975,7 +1004,7 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:491
+#: sssd.conf.5.xml:511
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -984,19 +1013,19 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:497 sssd.conf.5.xml:550 sssd.conf.5.xml:882
+#: sssd.conf.5.xml:517 sssd.conf.5.xml:570 sssd.conf.5.xml:906
 msgid "Default: 5"
 msgstr "Типове значення: 5"
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:523
 msgid "pam_verbosity (integer)"
 msgstr "pam_verbosity (ціле число)"
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:506
+#: sssd.conf.5.xml:526
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
@@ -1004,49 +1033,49 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:511
+#: sssd.conf.5.xml:531
 msgid "Currently sssd supports the following values:"
 msgstr "У поточній версії sssd передбачено підтримку таких значень:"
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:514
+#: sssd.conf.5.xml:534
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr "<emphasis>0</emphasis>: не показувати жодних повідомлень"
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:517
+#: sssd.conf.5.xml:537
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr "<emphasis>1</emphasis>: показувати лише важливі повідомлення"
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:541
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr "<emphasis>2</emphasis>: показувати всі інформаційні повідомлення"
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:524
+#: sssd.conf.5.xml:544
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 "<emphasis>3</emphasis>: показувати всі повідомлення та діагностичні дані"
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:528
+#: sssd.conf.5.xml:548
 msgid "Default: 1"
 msgstr "Типове значення: 1"
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:533
+#: sssd.conf.5.xml:553
 msgid "pam_id_timeout (integer)"
 msgstr "pam_id_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:536
+#: sssd.conf.5.xml:556
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -1054,7 +1083,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:542
+#: sssd.conf.5.xml:562
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -1064,17 +1093,17 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:556
+#: sssd.conf.5.xml:576
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr "pam_pwd_expiration_warning (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:559
+#: sssd.conf.5.xml:579
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:562
+#: sssd.conf.5.xml:582
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -1083,25 +1112,25 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:588
 msgid "Default: 7"
 msgstr "Типове значення: 7"
 
 # type: Content of: <reference><refentry><refsect1><title>
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:577
+#: sssd.conf.5.xml:597
 msgid "DOMAIN SECTIONS"
 msgstr "РОЗДІЛИ ДОМЕНІВ"
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:584
+#: sssd.conf.5.xml:604
 msgid "min_id,max_id (integer)"
 msgstr "min_id,max_id (ціле значення)"
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:587
+#: sssd.conf.5.xml:607
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
@@ -1109,7 +1138,7 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:592
+#: sssd.conf.5.xml:612
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -1119,19 +1148,19 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:599
+#: sssd.conf.5.xml:619
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr "Типові значення: 1 для min_id, 0 (без обмежень) для max_id"
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:625
 msgid "timeout (integer)"
 msgstr "timeout (ціле число)"
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:608
+#: sssd.conf.5.xml:628
 msgid ""
 "Timeout in seconds between heartbeats for this domain.  This is used to "
 "ensure that the backend process is alive and capable of answering requests."
@@ -1139,19 +1168,19 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:633
 msgid "Default: 10"
 msgstr "Типове значення: 10"
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:639
 msgid "enumerate (bool)"
 msgstr "enumerate (булеве значення)"
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:642
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
@@ -1159,25 +1188,25 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:626
+#: sssd.conf.5.xml:646
 msgid "TRUE = Users and groups are enumerated"
 msgstr "TRUE = користувачі і групи нумеруються"
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:629
+#: sssd.conf.5.xml:649
 msgid "FALSE = No enumerations for this domain"
 msgstr "FALSE = не використовувати нумерацію для цього домену"
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:632 sssd.conf.5.xml:680 sssd.conf.5.xml:734
+#: sssd.conf.5.xml:652 sssd.conf.5.xml:704 sssd.conf.5.xml:758
 msgid "Default: FALSE"
 msgstr "Типове значення: FALSE"
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:635
+#: sssd.conf.5.xml:655
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -1187,7 +1216,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:645
+#: sssd.conf.5.xml:665
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
@@ -1195,7 +1224,7 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:650
+#: sssd.conf.5.xml:670
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -1205,13 +1234,13 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:661
+#: sssd.conf.5.xml:681
 msgid "entry_cache_timeout (integer)"
 msgstr "entry_cache_timeout (ціле число)"
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:664
+#: sssd.conf.5.xml:684
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
@@ -1219,31 +1248,36 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:688
 msgid "Default: 5400"
 msgstr "Типове значення: 5400"
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:693
 msgid "cache_credentials (bool)"
 msgstr "cache_credentials (булеве значення)"
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676
+#: sssd.conf.5.xml:696
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:700
+msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+msgstr ""
+
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:685
+#: sssd.conf.5.xml:709
 msgid "account_cache_expiration (integer)"
 msgstr "account_cache_expiration (ціле число)"
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:688
+#: sssd.conf.5.xml:712
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -1253,55 +1287,55 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:695
+#: sssd.conf.5.xml:719
 msgid "Default: 0 (unlimited)"
 msgstr "Типове значення: 0 (без обмежень)"
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:725
 msgid "id_provider (string)"
 msgstr "id_provider (рядок)"
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:728
 msgid "The Data Provider identity backend to use for this domain."
 msgstr "Модуль надання даних щодо профілів користувачів для цього домену."
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:708
+#: sssd.conf.5.xml:732
 msgid "Supported backends:"
 msgstr "Підтримувані модулі:"
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:711
+#: sssd.conf.5.xml:735
 msgid "proxy: Support a legacy NSS provider"
 msgstr "proxy: підтримка застарілого модуля надання даних NSS"
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:714
+#: sssd.conf.5.xml:738
 msgid "local: SSSD internal local provider"
 msgstr "local: вбудований модуль надання локальних даних SSSD"
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:717
+#: sssd.conf.5.xml:741
 msgid "ldap: LDAP provider"
 msgstr "ldap: модуль надання даних LDAP"
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:747
 msgid "use_fully_qualified_names (bool)"
 msgstr "use_fully_qualified_names (булеве значення)"
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:750
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -1311,13 +1345,13 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:739
+#: sssd.conf.5.xml:763
 msgid "auth_provider (string)"
 msgstr "auth_provider (рядок)"
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:766
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
@@ -1327,7 +1361,7 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:746
+#: sssd.conf.5.xml:770
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1340,7 +1374,7 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:777
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1353,20 +1387,20 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:784
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr "<quote>proxy</quote> — трансльоване розпізнавання у іншій системі PAM."
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:787
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr "<quote>none</quote> — вимкнути розпізнавання повністю."
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:766
+#: sssd.conf.5.xml:790
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
@@ -1376,13 +1410,13 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:796
 msgid "access_provider (string)"
 msgstr "access_provider (рядок)"
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:775
+#: sssd.conf.5.xml:799
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -1391,19 +1425,19 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:781
+#: sssd.conf.5.xml:805
 msgid "<quote>permit</quote> always allow access."
 msgstr "<quote>permit</quote> — завжди дозволяти доступ."
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:784
+#: sssd.conf.5.xml:808
 msgid "<quote>deny</quote> always deny access."
 msgstr "<quote>deny</quote> — завжди забороняти доступ."
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:811
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -1413,19 +1447,19 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:818
 msgid "Default: <quote>permit</quote>"
 msgstr "Типове значення: <quote>permit</quote>"
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:823
 msgid "chpass_provider (string)"
 msgstr "chpass_provider (рядок)"
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:826
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
@@ -1433,7 +1467,7 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:831
 msgid ""
 "<quote>ipa</quote> to change a password stored in an IPA server.  See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -1446,7 +1480,7 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:815
+#: sssd.conf.5.xml:839
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -1459,7 +1493,7 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:823
+#: sssd.conf.5.xml:847
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1472,20 +1506,20 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:831
+#: sssd.conf.5.xml:855
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr "<quote>proxy</quote> — трансльована зміна пароля у іншій системі PAM."
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:835
+#: sssd.conf.5.xml:859
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr "<quote>none</quote> — явно вимкнути можливість зміни пароля."
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838
+#: sssd.conf.5.xml:862
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
@@ -1493,13 +1527,13 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:845
+#: sssd.conf.5.xml:869
 msgid "lookup_family_order (string)"
 msgstr "lookup_family_order (рядок)"
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:848
+#: sssd.conf.5.xml:872
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
@@ -1509,13 +1543,13 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:876
 msgid "Supported values:"
 msgstr "Передбачено підтримку таких значень:"
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:855
+#: sssd.conf.5.xml:879
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 "ipv4_first: спробувати визначити адресу у форматі IPv4, у разі невдачі "
@@ -1523,14 +1557,14 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:858
+#: sssd.conf.5.xml:882
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 "ipv4_only: намагатися визначити назви вузлів лише у форматі адрес IPv4."
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:861
+#: sssd.conf.5.xml:885
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 "ipv6_first: спробувати визначити адресу у форматі IPv6, у разі невдачі "
@@ -1538,26 +1572,26 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:864
+#: sssd.conf.5.xml:888
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 "ipv6_only: намагатися визначити назви вузлів лише у форматі адрес IPv6."
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:867
+#: sssd.conf.5.xml:891
 msgid "Default: ipv4_first"
 msgstr "Типове значення: ipv4_first"
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:873
+#: sssd.conf.5.xml:897
 msgid "dns_resolver_timeout (integer)"
 msgstr "dns_resolver_timeout (ціле число)"
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:876
+#: sssd.conf.5.xml:900
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -1566,13 +1600,13 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:912
 msgid "dns_discovery_domain (string)"
 msgstr "dns_discovery_domain (рядок)"
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:891
+#: sssd.conf.5.xml:915
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
@@ -1580,26 +1614,26 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:919
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 "Типова поведінка: використовувати назву домену з назви вузла комп’ютера."
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:901
+#: sssd.conf.5.xml:925
 #, fuzzy
 #| msgid "min_id,max_id (integer)"
 msgid "override_gid (integer)"
 msgstr "min_id,max_id (ціле значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:904
+#: sssd.conf.5.xml:928
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:579
+#: sssd.conf.5.xml:599
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -1608,19 +1642,19 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:940
 msgid "proxy_pam_target (string)"
 msgstr "proxy_pam_target (рядок)"
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:943
 msgid "The proxy target PAM proxies to."
 msgstr "Комп’ютер, для якого виконує проксі-сервер PAM."
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:922
+#: sssd.conf.5.xml:946
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
@@ -1628,13 +1662,13 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:954
 msgid "proxy_lib_name (string)"
 msgstr "proxy_lib_name (рядок)"
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:933
+#: sssd.conf.5.xml:957
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -1642,7 +1676,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:912
+#: sssd.conf.5.xml:936
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
@@ -1652,13 +1686,13 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><title>
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:945
+#: sssd.conf.5.xml:969
 msgid "The local domain section"
 msgstr "Розділ локального домену"
 
 # type: Content of: <reference><refentry><refsect1><refsect2><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:971
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -1667,13 +1701,13 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:954
+#: sssd.conf.5.xml:978
 msgid "default_shell (string)"
 msgstr "default_shell (рядок)"
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:981
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 "Типова оболонка для записів користувачів, створених за допомогою "
@@ -1681,19 +1715,19 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:985
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr "Типове значення: <filename>/bin/bash</filename>"
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:966
+#: sssd.conf.5.xml:990
 msgid "base_directory (string)"
 msgstr "base_directory (рядок)"
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:969
+#: sssd.conf.5.xml:993
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
@@ -1701,18 +1735,18 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974
+#: sssd.conf.5.xml:998
 msgid "Default: <filename>/home</filename>"
 msgstr "Типове значення: <filename>/home</filename>"
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1003
 msgid "create_homedir (bool)"
 msgstr "create_homedir (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1006
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
@@ -1720,18 +1754,18 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986 sssd.conf.5.xml:998
+#: sssd.conf.5.xml:1010 sssd.conf.5.xml:1022
 msgid "Default: TRUE"
 msgstr "Типове значення: TRUE"
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:991
+#: sssd.conf.5.xml:1015
 msgid "remove_homedir (bool)"
 msgstr "remove_homedir (булівське значення)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:994
+#: sssd.conf.5.xml:1018
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
@@ -1739,13 +1773,13 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1003
+#: sssd.conf.5.xml:1027
 msgid "homedir_umask (integer)"
 msgstr "homedir_umask (ціле число)"
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1030
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -1757,19 +1791,19 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014
+#: sssd.conf.5.xml:1038
 msgid "Default: 077"
 msgstr "Типове значення: 077"
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1043
 msgid "skel_dir (string)"
 msgstr "skel_dir (рядок)"
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1022
+#: sssd.conf.5.xml:1046
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -1779,19 +1813,19 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:1056
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr "Типове значення: <filename>/etc/skel</filename>"
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1037
+#: sssd.conf.5.xml:1061
 msgid "mail_dir (string)"
 msgstr "mail_dir (рядок)"
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1040
+#: sssd.conf.5.xml:1064
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -1800,19 +1834,19 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1047
+#: sssd.conf.5.xml:1071
 msgid "Default: <filename>/var/mail</filename>"
 msgstr "Типове значення: <filename>/var/mail</filename>"
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1076
 msgid "userdel_cmd (string)"
 msgstr "userdel_cmd (рядок)"
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1055
+#: sssd.conf.5.xml:1079
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -1821,20 +1855,20 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1061
+#: sssd.conf.5.xml:1085
 msgid "Default: None, no command is run"
 msgstr "Типове значення: None, не виконувати жодних команд"
 
 # type: Content of: <reference><refentry><refsect1><title>
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1071 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
-#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:405
+#: sssd.conf.5.xml:1095 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
+#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:408
 msgid "EXAMPLE"
 msgstr "ПРИКЛАД"
 
 # type: Content of: <reference><refentry><refsect1><para><programlisting>
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:1077
+#: sssd.conf.5.xml:1101
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -1888,7 +1922,7 @@ msgstr ""
 "enumerate = False\n"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1073
+#: sssd.conf.5.xml:1097
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -1898,7 +1932,7 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para>
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1108
+#: sssd.conf.5.xml:1132
 msgid ""
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
@@ -2019,10 +2053,10 @@ msgstr "ldap_chpass_uri (рядок)"
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:88
 msgid ""
-"Specifies the list of URIs of the LDAP servers to which SSSD should connect "
-"in the order of preference to change the password of a user. Refer to the "
-"<quote>FAILOVER</quote> section for more information on failover and server "
-"redundancy."
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference to change the password of a user. "
+"Refer to the <quote>FAILOVER</quote> section for more information on "
+"failover and server redundancy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -2590,7 +2624,7 @@ msgstr ""
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:519 sssd-ldap.5.xml:990 sssd-ipa.5.xml:115 sssd.8.xml:64
-#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:266
+#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:269
 msgid "Default: false"
 msgstr "Типове значення: false"
 
@@ -3104,7 +3138,7 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:356
+#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:359
 msgid "Default: not set"
 msgstr "Типове значення: not set"
 
@@ -3268,16 +3302,16 @@ msgstr "Типове значення: 86400 (24 години)"
 msgid "krb5_server (string)"
 msgstr "krb5_server (рядок)"
 
-# type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:1080 sssd-krb5.5.xml:77
 msgid ""
-"Specifies the list of IP addresses or hostnames of the Kerberos servers to "
-"which SSSD should connect in the order of preference. For more information "
-"on failover and server redundancy, see the <quote>FAILOVER</quote> section. "
-"An optional port number (preceded by a colon) may be appended to the "
-"addresses or hostnames.  If empty, service discovery is enabled - for more "
-"information, refer to the <quote>SERVICE DISCOVERY</quote> section."
+"Specifies the comma-separated list of IP addresses or hostnames of the "
+"Kerberos servers to which SSSD should connect in the order of preference. "
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
+"colon) may be appended to the addresses or hostnames.  If empty, service "
+"discovery is enabled - for more information, refer to the <quote>SERVICE "
+"DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -3724,7 +3758,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ldap.5.xml:1407 sssd-simple.5.xml:134 sssd-ipa.5.xml:238
-#: sssd-krb5.5.xml:414
+#: sssd-krb5.5.xml:417
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -3783,8 +3817,16 @@ msgstr "модуль PAM для SSSD"
 # type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
 #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
 #: pam_sss.8.xml:24
-msgid ""
-"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>forward_pass</"
+#, fuzzy
+#| msgid ""
+#| "<command>pam_sss.so</command> <arg choice='opt'> "
+#| "<replaceable>forward_pass</replaceable> </arg> <arg choice='opt'> "
+#| "<replaceable>use_first_pass</replaceable> </arg> <arg choice='opt'> "
+#| "<replaceable>use_authtok</replaceable> </arg> <arg choice='opt'> "
+#| "<replaceable>retry=N</replaceable> </arg>"
+msgid ""
+"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
@@ -3798,7 +3840,7 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para>
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:42
+#: pam_sss.8.xml:45
 msgid ""
 "<command>pam_sss.so</command> is the PAM interface to the System Security "
 "Services daemon (SSSD). Errors and results are logged through <command>syslog"
@@ -3807,13 +3849,26 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:52
+#: pam_sss.8.xml:55
+#, fuzzy
+#| msgid "<option>retry=N</option>"
+msgid "<option>quiet</option>"
+msgstr "<option>retry=N</option>"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:58
+msgid "Suppress log messages for unknown users."
+msgstr ""
+
+# type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:63
 msgid "<option>forward_pass</option>"
 msgstr "<option>forward_pass</option>"
 
 # type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:55
+#: pam_sss.8.xml:66
 msgid ""
 "If <option>forward_pass</option> is set the entered password is put on the "
 "stack for other PAM modules to use."
@@ -3821,13 +3876,13 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:62
+#: pam_sss.8.xml:73
 msgid "<option>use_first_pass</option>"
 msgstr "<option>use_first_pass</option>"
 
 # type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:65
+#: pam_sss.8.xml:76
 msgid ""
 "The argument use_first_pass forces the module to use a previous stacked "
 "modules password and will never prompt the user - if no password is "
@@ -3836,13 +3891,13 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:73
+#: pam_sss.8.xml:84
 msgid "<option>use_authtok</option>"
 msgstr "<option>use_authtok</option>"
 
 # type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:76
+#: pam_sss.8.xml:87
 msgid ""
 "When password changing enforce the module to set the new password to the one "
 "provided by a previously stacked password module."
@@ -3850,13 +3905,13 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:83
+#: pam_sss.8.xml:94
 msgid "<option>retry=N</option>"
 msgstr "<option>retry=N</option>"
 
 # type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:86
+#: pam_sss.8.xml:97
 msgid ""
 "If specified the user is asked another N times for a password if "
 "authentication fails. Default is 0."
@@ -3864,7 +3919,7 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:88
+#: pam_sss.8.xml:99
 msgid ""
 "Please note that this option might not work as expected if the application "
 "calling PAM handles the user dialog on its own. A typical example is "
@@ -3873,13 +3928,13 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><title>
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:99
+#: pam_sss.8.xml:110
 msgid "MODULE TYPES PROVIDED"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para>
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:100
+#: pam_sss.8.xml:111
 msgid ""
 "All module types (<option>account</option>, <option>auth</option>, "
 "<option>password</option> and <option>session</option>) are provided."
@@ -3887,13 +3942,13 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><title>
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:106
+#: pam_sss.8.xml:117
 msgid "FILES"
 msgstr "ФАЙЛИ"
 
 # type: Content of: <reference><refentry><refsect1><para>
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:107
+#: pam_sss.8.xml:118
 msgid ""
 "If a password reset by root fails, because the corresponding SSSD provider "
 "does not support password resets, an individual message can be displayed. "
@@ -3902,7 +3957,7 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para>
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:112
+#: pam_sss.8.xml:123
 msgid ""
 "The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
 "filename> where LOC stands for a locale string returned by <citerefentry> "
@@ -3915,7 +3970,7 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para>
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:122
+#: pam_sss.8.xml:133
 msgid ""
 "These files are searched in the directory <filename>/etc/sssd/customize/"
 "DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
@@ -3924,7 +3979,7 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para>
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:130
+#: pam_sss.8.xml:141
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>8</"
 "manvolnum> </citerefentry>"
@@ -4217,15 +4272,14 @@ msgstr ""
 msgid "ipa_server (string)"
 msgstr "ipa_server (рядок)"
 
-# type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ipa.5.xml:83
 msgid ""
-"The list of IP addresses or hostnames of the IPA servers to which SSSD "
-"should connect in the order of preference. For more information on failover "
-"and server redundancy, see the <quote>FAILOVER</quote> section.  This is "
-"optional if autodiscovery is enabled.  For more information on service "
-"discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
+"The comma-separated list of IP addresses or hostnames of the IPA servers to "
+"which SSSD should connect in the order of preference. For more information "
+"on failover and server redundancy, see the <quote>FAILOVER</quote> section.  "
+"This is optional if autodiscovery is enabled.  For more information on "
+"service discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
@@ -5224,17 +5278,19 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:262
 msgid ""
-"Please note that this feature currently only available on a Linux platform."
+"Please note that this feature currently only available on a Linux platform. "
+"Passwords stored in this way are kept in plaintext in the kernel keyring and "
+"are potentially accessible by the root user (with difficulty)."
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:272
+#: sssd-krb5.5.xml:275
 msgid "krb5_renewable_lifetime (string)"
 msgstr "krb5_renewable_lifetime (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:275
+#: sssd-krb5.5.xml:278
 msgid ""
 "Request a renewable ticket with a total lifetime given by an integer "
 "immediately followed by one of the following delimiters:"
@@ -5242,37 +5298,37 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:280 sssd-krb5.5.xml:316
+#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
 msgid "<emphasis>s</emphasis> seconds"
 msgstr "<emphasis>s</emphasis> — секунди"
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
+#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
 msgid "<emphasis>m</emphasis> minutes"
 msgstr "<emphasis>m</emphasis> — хвилини"
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
+#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
 msgid "<emphasis>h</emphasis> hours"
 msgstr "<emphasis>h</emphasis> — години"
 
 # type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
+#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
 msgid "<emphasis>d</emphasis> days."
 msgstr "<emphasis>d</emphasis> — дні."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
+#: sssd-krb5.5.xml:295 sssd-krb5.5.xml:331
 msgid "If there is no delimiter <emphasis>s</emphasis> is assumed."
 msgstr ""
 "Якщо позначки часу не буде вказано, вважатиметься, що використано позначку "
 "<emphasis>s</emphasis>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:296
+#: sssd-krb5.5.xml:299
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "renewable lifetime to one and a half hours please use '90m' instead of "
@@ -5280,51 +5336,51 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:302
+#: sssd-krb5.5.xml:305
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:308
+#: sssd-krb5.5.xml:311
 msgid "krb5_lifetime (string)"
 msgstr "krb5_lifetime (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:311
+#: sssd-krb5.5.xml:314
 msgid ""
 "Request ticket with a with a lifetime given by an integer immediately "
 "followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:332
+#: sssd-krb5.5.xml:335
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "lifetime to one and a half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:337
+#: sssd-krb5.5.xml:340
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:344
+#: sssd-krb5.5.xml:347
 msgid "krb5_renew_interval (integer)"
 msgstr "krb5_renew_interval (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:347
+#: sssd-krb5.5.xml:350
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:352
+#: sssd-krb5.5.xml:355
 msgid "If this option is not set or 0 the automatic renewal is disabled."
 msgstr ""
 "Якщо значення для цього параметра встановлено не буде або буде встановлено "
@@ -5332,51 +5388,51 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:362
+#: sssd-krb5.5.xml:365
 msgid "krb5_use_fast (string)"
 msgstr "krb5_use_fast (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:365
+#: sssd-krb5.5.xml:368
 msgid ""
 "Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
 "authentication. The following options are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:370
+#: sssd-krb5.5.xml:373
 msgid ""
 "<emphasis>never</emphasis> use FAST, this is equivalent to not set this "
 "option at all."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:374
+#: sssd-krb5.5.xml:377
 msgid ""
 "<emphasis>try</emphasis> to use FAST, if the server does not support fast "
 "continue without."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:378
+#: sssd-krb5.5.xml:381
 msgid ""
 "<emphasis>demand</emphasis> to use FAST, fail if the server does not require "
 "fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:382
+#: sssd-krb5.5.xml:385
 msgid "Default: not set, i.e. FAST is not used."
 msgstr "Типове значення: не встановлено, тобто FAST не використовується."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:385
+#: sssd-krb5.5.xml:388
 msgid "Please note that a keytab is required to use fast."
 msgstr ""
 "Будь ласка, зауважте, що для використання fast потрібна таблиця ключів."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:388
+#: sssd-krb5.5.xml:391
 msgid ""
 "Please note also that sssd supports fast only with MIT Kerberos version 1.8 "
 "and above. If sssd used used with an older version using this option is a "
@@ -5395,7 +5451,7 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para>
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:407
+#: sssd-krb5.5.xml:410
 msgid ""
 "The following example assumes that SSSD is correctly configured and FOO is "
 "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
@@ -5405,7 +5461,7 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para><programlisting>
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-krb5.5.xml:415
+#: sssd-krb5.5.xml:418
 #, no-wrap
 msgid ""
 "    [domain/FOO]\n"
@@ -5420,7 +5476,7 @@ msgstr ""
 
 # type: Content of: <reference><refentry><refsect1><para>
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:426
+#: sssd-krb5.5.xml:429
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
diff --git a/src/man/po/ur.po b/src/man/po/ur.po
index 79bfe516..dbc22212 100644
--- a/src/man/po/ur.po
+++ b/src/man/po/ur.po
@@ -2,12 +2,13 @@
 # Copyright (C) YEAR Red Hat
 # This file is distributed under the same license as the sssd-docs package.
 #
+# Translators:
 msgid ""
 msgstr ""
 "Project-Id-Version: SSSD\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2011-08-29 10:42-0300\n"
-"PO-Revision-Date: 2011-08-05 11:40+0000\n"
+"POT-Creation-Date: 2011-10-18 13:34-0300\n"
+"PO-Revision-Date: 2010-12-23 15:35+0000\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Urdu <trans-urdu@lists.fedoraproject.org>\n"
 "Language: ur\n"
@@ -52,7 +53,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:41
+#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:44
 #: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21
 #: sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_useradd.8.xml:30
 #: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30
@@ -68,7 +69,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:39 pam_sss.8.xml:48 sssd.8.xml:42 sss_obfuscate.8.xml:58
+#: sss_groupmod.8.xml:39 pam_sss.8.xml:51 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
 msgid "OPTIONS"
@@ -104,10 +105,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1106 sssd-ldap.5.xml:1432
-#: pam_sss.8.xml:128 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
+#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1130 sssd-ldap.5.xml:1432
+#: pam_sss.8.xml:139 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
 #: sssd-ipa.5.xml:248 sssd.8.xml:166 sss_obfuscate.8.xml:103
-#: sss_useradd.8.xml:167 sssd-krb5.5.xml:424 sss_groupadd.8.xml:58
+#: sss_useradd.8.xml:167 sssd-krb5.5.xml:427 sss_groupadd.8.xml:58
 #: sss_userdel.8.xml:93 sss_groupdel.8.xml:46 sss_groupshow.8.xml:58
 #: sss_usermod.8.xml:138
 msgid "SEE ALSO"
@@ -213,7 +214,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:70 sssd.conf.5.xml:952
+#: sssd.conf.5.xml:70 sssd.conf.5.xml:976
 msgid "Section parameters"
 msgstr ""
 
@@ -246,19 +247,19 @@ msgid "Supported services: nss, pam"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:93 sssd.conf.5.xml:234
+#: sssd.conf.5.xml:93 sssd.conf.5.xml:254
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:96 sssd.conf.5.xml:237
+#: sssd.conf.5.xml:96 sssd.conf.5.xml:257
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:101 sssd.conf.5.xml:242
+#: sssd.conf.5.xml:101 sssd.conf.5.xml:262
 msgid "Default: 3"
 msgstr ""
 
@@ -365,6 +366,32 @@ msgid ""
 "unavailable. On these platforms, polling will always be used."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:189
+msgid "krb5_rcache_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:192
+msgid ""
+"Directory on the filesystem where SSSD should store Kerberos replay cache "
+"files."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:196
+msgid ""
+"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
+"SSSD to let libkrb5 decide the appropriate location for the replay cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:202
+msgid ""
+"Default: Distribution-specific and specified at build-time. "
+"(__LIBKRB5_DEFAULTS__ if not configured)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:63
 msgid ""
@@ -377,12 +404,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:195
+#: sssd.conf.5.xml:215
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:197
+#: sssd.conf.5.xml:217
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -391,55 +418,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:204
+#: sssd.conf.5.xml:224
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:206
+#: sssd.conf.5.xml:226
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:210
+#: sssd.conf.5.xml:230
 msgid "debug_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:213
+#: sssd.conf.5.xml:233
 msgid ""
 "Sets the debug level for the service. The value can be in range from 0 (only "
 "critical messages) to 10 (very verbose)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:218 sssd.conf.5.xml:312
+#: sssd.conf.5.xml:238 sssd.conf.5.xml:332
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:223 sssd.8.xml:58
+#: sssd.conf.5.xml:243 sssd.8.xml:58
 msgid "debug_timestamps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:226 sssd.8.xml:61
+#: sssd.conf.5.xml:246 sssd.8.xml:61
 msgid "Add a timestamp to the debug messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:229 sssd.conf.5.xml:353 sssd-ldap.5.xml:1058
+#: sssd.conf.5.xml:249 sssd.conf.5.xml:373 sssd-ldap.5.xml:1058
 #: sssd-ldap.5.xml:1163 sssd-ipa.5.xml:155
 msgid "Default: true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:247
+#: sssd.conf.5.xml:267
 msgid "command (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:250
+#: sssd.conf.5.xml:270
 msgid ""
 "By default, the executable representing this service is called <command>sssd_"
 "${service_name}</command>.  This directive allows to change the executable "
@@ -448,45 +475,45 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:258
+#: sssd.conf.5.xml:278
 msgid "Default: <command>sssd_${service_name}</command>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:266
+#: sssd.conf.5.xml:286
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:268
+#: sssd.conf.5.xml:288
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:273
+#: sssd.conf.5.xml:293
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:276
+#: sssd.conf.5.xml:296
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:280
+#: sssd.conf.5.xml:300
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:285
+#: sssd.conf.5.xml:305
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:288
+#: sssd.conf.5.xml:308
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -494,7 +521,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:294
+#: sssd.conf.5.xml:314
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -504,7 +531,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304
+#: sssd.conf.5.xml:324
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -513,12 +540,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:317
+#: sssd.conf.5.xml:337
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:320
+#: sssd.conf.5.xml:340
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -526,17 +553,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:326 sssd-krb5.5.xml:223
+#: sssd.conf.5.xml:346 sssd-krb5.5.xml:223
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:331
+#: sssd.conf.5.xml:351
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:334
+#: sssd.conf.5.xml:354
 msgid ""
 "Exclude certain users from being fetched from the sss NSS database. This is "
 "particularly useful for system accounts. This option can also be set per-"
@@ -545,78 +572,78 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:341
+#: sssd.conf.5.xml:361
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:346
+#: sssd.conf.5.xml:366
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:369
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:358
+#: sssd.conf.5.xml:378
 msgid "override_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:367 sssd-krb5.5.xml:166
+#: sssd.conf.5.xml:387 sssd-krb5.5.xml:166
 msgid "%u"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:368 sssd-krb5.5.xml:167
+#: sssd.conf.5.xml:388 sssd-krb5.5.xml:167
 msgid "login name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:371 sssd-krb5.5.xml:170
+#: sssd.conf.5.xml:391 sssd-krb5.5.xml:170
 msgid "%U"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:392
 msgid "UID number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:375 sssd-krb5.5.xml:188
+#: sssd.conf.5.xml:395 sssd-krb5.5.xml:188
 msgid "%d"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:376
+#: sssd.conf.5.xml:396
 msgid "domain name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:379
+#: sssd.conf.5.xml:399
 msgid "%f"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:380
+#: sssd.conf.5.xml:400
 msgid "fully qualified user name (user@domain)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:383 sssd-krb5.5.xml:200
+#: sssd.conf.5.xml:403 sssd-krb5.5.xml:200
 msgid "%%"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:384 sssd-krb5.5.xml:201
+#: sssd.conf.5.xml:404 sssd-krb5.5.xml:201
 msgid "a literal '%'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:361
+#: sssd.conf.5.xml:381
 msgid ""
 "Override the user's home directory. You can either provide an absolute value "
 "or a template. In the template, the following sequences are substituted: "
@@ -624,138 +651,138 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:390
+#: sssd.conf.5.xml:410
 msgid "This option can also be set per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:395
+#: sssd.conf.5.xml:415
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:398
+#: sssd.conf.5.xml:418
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:401
+#: sssd.conf.5.xml:421
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:405
+#: sssd.conf.5.xml:425
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:410
+#: sssd.conf.5.xml:430
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:415
+#: sssd.conf.5.xml:435
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:418
+#: sssd.conf.5.xml:438
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:422
+#: sssd.conf.5.xml:442
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:427
+#: sssd.conf.5.xml:447
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:430
+#: sssd.conf.5.xml:450
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:435
+#: sssd.conf.5.xml:455
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:438
+#: sssd.conf.5.xml:458
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:442
+#: sssd.conf.5.xml:462
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:469
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:451
+#: sssd.conf.5.xml:471
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:456
+#: sssd.conf.5.xml:476
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:459
+#: sssd.conf.5.xml:479
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:464 sssd.conf.5.xml:477
+#: sssd.conf.5.xml:484 sssd.conf.5.xml:497
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:490
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:473
+#: sssd.conf.5.xml:493
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:483
+#: sssd.conf.5.xml:503
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:506
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:491
+#: sssd.conf.5.xml:511
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -763,59 +790,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:497 sssd.conf.5.xml:550 sssd.conf.5.xml:882
+#: sssd.conf.5.xml:517 sssd.conf.5.xml:570 sssd.conf.5.xml:906
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:523
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:506
+#: sssd.conf.5.xml:526
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:511
+#: sssd.conf.5.xml:531
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:514
+#: sssd.conf.5.xml:534
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:517
+#: sssd.conf.5.xml:537
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:541
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:524
+#: sssd.conf.5.xml:544
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:528
+#: sssd.conf.5.xml:548
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:533
+#: sssd.conf.5.xml:553
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:536
+#: sssd.conf.5.xml:556
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -823,7 +850,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:542
+#: sssd.conf.5.xml:562
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -832,17 +859,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:556
+#: sssd.conf.5.xml:576
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:559
+#: sssd.conf.5.xml:579
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:562
+#: sssd.conf.5.xml:582
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -850,29 +877,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:588
 msgid "Default: 7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:577
+#: sssd.conf.5.xml:597
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:584
+#: sssd.conf.5.xml:604
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:587
+#: sssd.conf.5.xml:607
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:592
+#: sssd.conf.5.xml:612
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -881,56 +908,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:599
+#: sssd.conf.5.xml:619
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:625
 msgid "timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:608
+#: sssd.conf.5.xml:628
 msgid ""
 "Timeout in seconds between heartbeats for this domain.  This is used to "
 "ensure that the backend process is alive and capable of answering requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:633
 msgid "Default: 10"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:639
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:642
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:626
+#: sssd.conf.5.xml:646
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:629
+#: sssd.conf.5.xml:649
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:632 sssd.conf.5.xml:680 sssd.conf.5.xml:734
+#: sssd.conf.5.xml:652 sssd.conf.5.xml:704 sssd.conf.5.xml:758
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:635
+#: sssd.conf.5.xml:655
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -940,14 +967,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:645
+#: sssd.conf.5.xml:665
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:650
+#: sssd.conf.5.xml:670
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -956,39 +983,44 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:661
+#: sssd.conf.5.xml:681
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:664
+#: sssd.conf.5.xml:684
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:688
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:693
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676
+#: sssd.conf.5.xml:696
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:700
+msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:685
+#: sssd.conf.5.xml:709
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:688
+#: sssd.conf.5.xml:712
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -997,47 +1029,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:695
+#: sssd.conf.5.xml:719
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:725
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:728
 msgid "The Data Provider identity backend to use for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:708
+#: sssd.conf.5.xml:732
 msgid "Supported backends:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:711
+#: sssd.conf.5.xml:735
 msgid "proxy: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:714
+#: sssd.conf.5.xml:738
 msgid "local: SSSD internal local provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:717
+#: sssd.conf.5.xml:741
 msgid "ldap: LDAP provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:747
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:750
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -1046,19 +1078,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:739
+#: sssd.conf.5.xml:763
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:766
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:746
+#: sssd.conf.5.xml:770
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1066,7 +1098,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:777
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1074,30 +1106,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:784
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:787
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:766
+#: sssd.conf.5.xml:790
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:796
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:775
+#: sssd.conf.5.xml:799
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -1105,17 +1137,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:781
+#: sssd.conf.5.xml:805
 msgid "<quote>permit</quote> always allow access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:784
+#: sssd.conf.5.xml:808
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:811
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -1124,24 +1156,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:818
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:823
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:826
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:831
 msgid ""
 "<quote>ipa</quote> to change a password stored in an IPA server.  See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -1149,7 +1181,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:815
+#: sssd.conf.5.xml:839
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -1157,7 +1189,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:823
+#: sssd.conf.5.xml:847
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1165,72 +1197,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:831
+#: sssd.conf.5.xml:855
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:835
+#: sssd.conf.5.xml:859
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838
+#: sssd.conf.5.xml:862
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:845
+#: sssd.conf.5.xml:869
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:848
+#: sssd.conf.5.xml:872
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:876
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:855
+#: sssd.conf.5.xml:879
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:858
+#: sssd.conf.5.xml:882
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:861
+#: sssd.conf.5.xml:885
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:864
+#: sssd.conf.5.xml:888
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:867
+#: sssd.conf.5.xml:891
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:873
+#: sssd.conf.5.xml:897
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:876
+#: sssd.conf.5.xml:900
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -1238,34 +1270,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:912
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:891
+#: sssd.conf.5.xml:915
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:919
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:901
+#: sssd.conf.5.xml:925
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:904
+#: sssd.conf.5.xml:928
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:579
+#: sssd.conf.5.xml:599
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -1273,29 +1305,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:940
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:943
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:922
+#: sssd.conf.5.xml:946
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:954
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:933
+#: sssd.conf.5.xml:957
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -1303,19 +1335,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:912
+#: sssd.conf.5.xml:936
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:945
+#: sssd.conf.5.xml:969
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:971
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -1323,73 +1355,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:954
+#: sssd.conf.5.xml:978
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:981
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:985
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:966
+#: sssd.conf.5.xml:990
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:969
+#: sssd.conf.5.xml:993
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974
+#: sssd.conf.5.xml:998
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1003
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1006
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986 sssd.conf.5.xml:998
+#: sssd.conf.5.xml:1010 sssd.conf.5.xml:1022
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:991
+#: sssd.conf.5.xml:1015
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:994
+#: sssd.conf.5.xml:1018
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1003
+#: sssd.conf.5.xml:1027
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1030
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -1397,17 +1429,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014
+#: sssd.conf.5.xml:1038
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1043
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1022
+#: sssd.conf.5.xml:1046
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -1416,17 +1448,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:1056
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1037
+#: sssd.conf.5.xml:1061
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1040
+#: sssd.conf.5.xml:1064
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -1434,17 +1466,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1047
+#: sssd.conf.5.xml:1071
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1076
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1055
+#: sssd.conf.5.xml:1079
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -1452,18 +1484,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1061
+#: sssd.conf.5.xml:1085
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1071 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
-#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:405
+#: sssd.conf.5.xml:1095 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
+#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:408
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:1077
+#: sssd.conf.5.xml:1101
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -1493,7 +1525,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1073
+#: sssd.conf.5.xml:1097
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -1502,7 +1534,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1108
+#: sssd.conf.5.xml:1132
 msgid ""
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
@@ -1602,10 +1634,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:88
 msgid ""
-"Specifies the list of URIs of the LDAP servers to which SSSD should connect "
-"in the order of preference to change the password of a user. Refer to the "
-"<quote>FAILOVER</quote> section for more information on failover and server "
-"redundancy."
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference to change the password of a user. "
+"Refer to the <quote>FAILOVER</quote> section for more information on "
+"failover and server redundancy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -2085,7 +2117,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:519 sssd-ldap.5.xml:990 sssd-ipa.5.xml:115 sssd.8.xml:64
-#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:266
+#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:269
 msgid "Default: false"
 msgstr ""
 
@@ -2526,7 +2558,7 @@ msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:356
+#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:359
 msgid "Default: not set"
 msgstr ""
 
@@ -2667,12 +2699,13 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:1080 sssd-krb5.5.xml:77
 msgid ""
-"Specifies the list of IP addresses or hostnames of the Kerberos servers to "
-"which SSSD should connect in the order of preference. For more information "
-"on failover and server redundancy, see the <quote>FAILOVER</quote> section. "
-"An optional port number (preceded by a colon) may be appended to the "
-"addresses or hostnames.  If empty, service discovery is enabled - for more "
-"information, refer to the <quote>SERVICE DISCOVERY</quote> section."
+"Specifies the comma-separated list of IP addresses or hostnames of the "
+"Kerberos servers to which SSSD should connect in the order of preference. "
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
+"colon) may be appended to the addresses or hostnames.  If empty, service "
+"discovery is enabled - for more information, refer to the <quote>SERVICE "
+"DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -3057,7 +3090,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ldap.5.xml:1407 sssd-simple.5.xml:134 sssd-ipa.5.xml:238
-#: sssd-krb5.5.xml:414
+#: sssd-krb5.5.xml:417
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -3104,7 +3137,8 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
 #: pam_sss.8.xml:24
 msgid ""
-"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>forward_pass</"
+"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
@@ -3112,7 +3146,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:42
+#: pam_sss.8.xml:45
 msgid ""
 "<command>pam_sss.so</command> is the PAM interface to the System Security "
 "Services daemon (SSSD). Errors and results are logged through <command>syslog"
@@ -3120,24 +3154,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:52
+#: pam_sss.8.xml:55
+msgid "<option>quiet</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:58
+msgid "Suppress log messages for unknown users."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:63
 msgid "<option>forward_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:55
+#: pam_sss.8.xml:66
 msgid ""
 "If <option>forward_pass</option> is set the entered password is put on the "
 "stack for other PAM modules to use."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:62
+#: pam_sss.8.xml:73
 msgid "<option>use_first_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:65
+#: pam_sss.8.xml:76
 msgid ""
 "The argument use_first_pass forces the module to use a previous stacked "
 "modules password and will never prompt the user - if no password is "
@@ -3145,31 +3189,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:73
+#: pam_sss.8.xml:84
 msgid "<option>use_authtok</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:76
+#: pam_sss.8.xml:87
 msgid ""
 "When password changing enforce the module to set the new password to the one "
 "provided by a previously stacked password module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:83
+#: pam_sss.8.xml:94
 msgid "<option>retry=N</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:86
+#: pam_sss.8.xml:97
 msgid ""
 "If specified the user is asked another N times for a password if "
 "authentication fails. Default is 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:88
+#: pam_sss.8.xml:99
 msgid ""
 "Please note that this option might not work as expected if the application "
 "calling PAM handles the user dialog on its own. A typical example is "
@@ -3177,24 +3221,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:99
+#: pam_sss.8.xml:110
 msgid "MODULE TYPES PROVIDED"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:100
+#: pam_sss.8.xml:111
 msgid ""
 "All module types (<option>account</option>, <option>auth</option>, "
 "<option>password</option> and <option>session</option>) are provided."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:106
+#: pam_sss.8.xml:117
 msgid "FILES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:107
+#: pam_sss.8.xml:118
 msgid ""
 "If a password reset by root fails, because the corresponding SSSD provider "
 "does not support password resets, an individual message can be displayed. "
@@ -3202,7 +3246,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:112
+#: pam_sss.8.xml:123
 msgid ""
 "The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
 "filename> where LOC stands for a locale string returned by <citerefentry> "
@@ -3214,7 +3258,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:122
+#: pam_sss.8.xml:133
 msgid ""
 "These files are searched in the directory <filename>/etc/sssd/customize/"
 "DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
@@ -3222,7 +3266,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:130
+#: pam_sss.8.xml:141
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>8</"
 "manvolnum> </citerefentry>"
@@ -3482,11 +3526,11 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ipa.5.xml:83
 msgid ""
-"The list of IP addresses or hostnames of the IPA servers to which SSSD "
-"should connect in the order of preference. For more information on failover "
-"and server redundancy, see the <quote>FAILOVER</quote> section.  This is "
-"optional if autodiscovery is enabled.  For more information on service "
-"discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
+"The comma-separated list of IP addresses or hostnames of the IPA servers to "
+"which SSSD should connect in the order of preference. For more information "
+"on failover and server redundancy, see the <quote>FAILOVER</quote> section.  "
+"This is optional if autodiscovery is enabled.  For more information on "
+"service discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
@@ -4302,48 +4346,50 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:262
 msgid ""
-"Please note that this feature currently only available on a Linux platform."
+"Please note that this feature currently only available on a Linux platform. "
+"Passwords stored in this way are kept in plaintext in the kernel keyring and "
+"are potentially accessible by the root user (with difficulty)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:272
+#: sssd-krb5.5.xml:275
 msgid "krb5_renewable_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:275
+#: sssd-krb5.5.xml:278
 msgid ""
 "Request a renewable ticket with a total lifetime given by an integer "
 "immediately followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:280 sssd-krb5.5.xml:316
+#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
 msgid "<emphasis>s</emphasis> seconds"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
+#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
 msgid "<emphasis>m</emphasis> minutes"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
+#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
 msgid "<emphasis>h</emphasis> hours"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
+#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
 msgid "<emphasis>d</emphasis> days."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
+#: sssd-krb5.5.xml:295 sssd-krb5.5.xml:331
 msgid "If there is no delimiter <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:296
+#: sssd-krb5.5.xml:299
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "renewable lifetime to one and a half hours please use '90m' instead of "
@@ -4351,97 +4397,97 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:302
+#: sssd-krb5.5.xml:305
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:308
+#: sssd-krb5.5.xml:311
 msgid "krb5_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:311
+#: sssd-krb5.5.xml:314
 msgid ""
 "Request ticket with a with a lifetime given by an integer immediately "
 "followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:332
+#: sssd-krb5.5.xml:335
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "lifetime to one and a half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:337
+#: sssd-krb5.5.xml:340
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:344
+#: sssd-krb5.5.xml:347
 msgid "krb5_renew_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:347
+#: sssd-krb5.5.xml:350
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:352
+#: sssd-krb5.5.xml:355
 msgid "If this option is not set or 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:362
+#: sssd-krb5.5.xml:365
 msgid "krb5_use_fast (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:365
+#: sssd-krb5.5.xml:368
 msgid ""
 "Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
 "authentication. The following options are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:370
+#: sssd-krb5.5.xml:373
 msgid ""
 "<emphasis>never</emphasis> use FAST, this is equivalent to not set this "
 "option at all."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:374
+#: sssd-krb5.5.xml:377
 msgid ""
 "<emphasis>try</emphasis> to use FAST, if the server does not support fast "
 "continue without."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:378
+#: sssd-krb5.5.xml:381
 msgid ""
 "<emphasis>demand</emphasis> to use FAST, fail if the server does not require "
 "fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:382
+#: sssd-krb5.5.xml:385
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:385
+#: sssd-krb5.5.xml:388
 msgid "Please note that a keytab is required to use fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:388
+#: sssd-krb5.5.xml:391
 msgid ""
 "Please note also that sssd supports fast only with MIT Kerberos version 1.8 "
 "and above. If sssd used used with an older version using this option is a "
@@ -4459,7 +4505,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:407
+#: sssd-krb5.5.xml:410
 msgid ""
 "The following example assumes that SSSD is correctly configured and FOO is "
 "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
@@ -4468,7 +4514,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-krb5.5.xml:415
+#: sssd-krb5.5.xml:418
 #, no-wrap
 msgid ""
 "    [domain/FOO]\n"
@@ -4478,7 +4524,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:426
+#: sssd-krb5.5.xml:429
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
diff --git a/src/man/po/vi.po b/src/man/po/vi.po
new file mode 100644
index 00000000..da111b01
--- /dev/null
+++ b/src/man/po/vi.po
@@ -0,0 +1,4992 @@
+# SOME DESCRIPTIVE TITLE
+# Copyright (C) YEAR Red Hat
+# This file is distributed under the same license as the sssd-docs package.
+#
+# Translators:
+msgid ""
+msgstr ""
+"Project-Id-Version: SSSD\n"
+"Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
+"POT-Creation-Date: 2011-10-18 13:34-0300\n"
+"PO-Revision-Date: 2010-12-23 15:35+0000\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: Vietnamese (http://www.transifex.net/projects/p/fedora/team/"
+"vi/)\n"
+"Language: vi\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"Plural-Forms: nplurals=1; plural=0\n"
+
+#. type: Content of: <reference><title>
+#: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5
+#: sssd_krb5_locator_plugin.8.xml:5 sssd-simple.5.xml:5 sssd-ipa.5.xml:5
+#: sssd.8.xml:5 sss_obfuscate.8.xml:5 sss_useradd.8.xml:5 sssd-krb5.5.xml:5
+#: sss_groupadd.8.xml:5 sss_userdel.8.xml:5 sss_groupdel.8.xml:5
+#: sss_groupshow.8.xml:5 sss_usermod.8.xml:5
+msgid "SSSD Manual pages"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sss_groupmod.8.xml:10 sss_groupmod.8.xml:15
+msgid "sss_groupmod"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refmeta><manvolnum>
+#: sss_groupmod.8.xml:11 pam_sss.8.xml:14 sssd_krb5_locator_plugin.8.xml:11
+#: sssd.8.xml:11 sss_obfuscate.8.xml:11 sss_useradd.8.xml:11
+#: sss_groupadd.8.xml:11 sss_userdel.8.xml:11 sss_groupdel.8.xml:11
+#: sss_groupshow.8.xml:11 sss_usermod.8.xml:11
+msgid "8"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sss_groupmod.8.xml:16
+msgid "modify a group"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: sss_groupmod.8.xml:21
+msgid ""
+"<command>sss_groupmod</command> <arg choice='opt'> <replaceable>options</"
+"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></"
+"arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:44
+#: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21
+#: sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_useradd.8.xml:30
+#: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30
+#: sss_groupdel.8.xml:30 sss_groupshow.8.xml:30 sss_usermod.8.xml:30
+msgid "DESCRIPTION"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_groupmod.8.xml:32
+msgid ""
+"<command>sss_groupmod</command> modifies the group to reflect the changes "
+"that are specified on the command line."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sss_groupmod.8.xml:39 pam_sss.8.xml:51 sssd.8.xml:42 sss_obfuscate.8.xml:58
+#: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
+#: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
+msgid "OPTIONS"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_groupmod.8.xml:43 sss_usermod.8.xml:77
+msgid ""
+"<option>-a</option>,<option>--append-group</option> <replaceable>GROUPS</"
+"replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_groupmod.8.xml:48
+msgid ""
+"Append this group to groups specified by the <replaceable>GROUPS</"
+"replaceable> parameter.  The <replaceable>GROUPS</replaceable> parameter is "
+"a comma separated list of group names."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_groupmod.8.xml:57 sss_usermod.8.xml:91
+msgid ""
+"<option>-r</option>,<option>--remove-group</option> <replaceable>GROUPS</"
+"replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_groupmod.8.xml:62
+msgid ""
+"Remove this group from groups specified by the <replaceable>GROUPS</"
+"replaceable> parameter."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1130 sssd-ldap.5.xml:1432
+#: pam_sss.8.xml:139 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
+#: sssd-ipa.5.xml:248 sssd.8.xml:166 sss_obfuscate.8.xml:103
+#: sss_useradd.8.xml:167 sssd-krb5.5.xml:427 sss_groupadd.8.xml:58
+#: sss_userdel.8.xml:93 sss_groupdel.8.xml:46 sss_groupshow.8.xml:58
+#: sss_usermod.8.xml:138
+msgid "SEE ALSO"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_groupmod.8.xml:74
+msgid ""
+"<citerefentry> <refentrytitle>sss_groupdel</refentrytitle><manvolnum>8</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupadd</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_useradd</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_usermod</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd.conf.5.xml:10 sssd.conf.5.xml:16
+msgid "sssd.conf"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refmeta><manvolnum>
+#: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11
+#: sssd-ipa.5.xml:11 sssd-krb5.5.xml:11
+msgid "5"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refmeta><refmiscinfo>
+#: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12
+#: sssd-ipa.5.xml:12 sssd-krb5.5.xml:12
+msgid "File Formats and Conventions"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sssd.conf.5.xml:17 sssd-ldap.5.xml:17 sssd_krb5_locator_plugin.8.xml:16
+#: sssd-ipa.5.xml:17 sssd-krb5.5.xml:17
+msgid "the configuration file for SSSD"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd.conf.5.xml:21
+msgid "FILE FORMAT"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd.conf.5.xml:29
+#, no-wrap
+msgid ""
+"                <replaceable>[section]</replaceable>\n"
+"                <replaceable>key</replaceable> = <replaceable>value</replaceable>\n"
+"                <replaceable>key2</replaceable> = <replaceable>value2,value3</replaceable>\n"
+"            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:24
+msgid ""
+"The file has an ini-style syntax and consists of sections and parameters. A "
+"section begins with the name of the section in square brackets and continues "
+"until the next section begins. An example of section with single and multi-"
+"valued parameters: <placeholder type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:36
+msgid ""
+"The data types used are string (no quotes needed), integer and bool (with "
+"values of <quote>TRUE/FALSE</quote>)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:41
+msgid ""
+"A line comment starts with a hash sign (<quote>#</quote>) or a semicolon "
+"(<quote>;</quote>)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:46
+msgid ""
+"All sections can have an optional <replaceable>description</replaceable> "
+"parameter. Its function is only as a label for the section."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:52
+msgid ""
+"<filename>sssd.conf</filename> must be a regular file, owned by root and "
+"only root may read from or write to the file."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd.conf.5.xml:58
+msgid "SPECIAL SECTIONS"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><title>
+#: sssd.conf.5.xml:61
+msgid "The [sssd] section"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
+#: sssd.conf.5.xml:70 sssd.conf.5.xml:976
+msgid "Section parameters"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:72
+msgid "config_file_version (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:75
+msgid ""
+"Indicates what is the syntax of the config file. SSSD 0.6.0 and later use "
+"version 2."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:81
+msgid "services"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:84
+msgid ""
+"Comma separated list of services that are started when sssd itself starts."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:88
+msgid "Supported services: nss, pam"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:93 sssd.conf.5.xml:254
+msgid "reconnection_retries (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:96 sssd.conf.5.xml:257
+msgid ""
+"Number of times services should attempt to reconnect in the event of a Data "
+"Provider crash or restart before they give up"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:101 sssd.conf.5.xml:262
+msgid "Default: 3"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:106
+msgid "domains"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:109
+msgid ""
+"A domain is a database containing user information. SSSD can use more "
+"domains at the same time, but at least one must be configured or SSSD won't "
+"start.  This parameter described the list of domains in the order you want "
+"them to be queried."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:119
+msgid "re_expression (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:122
+msgid ""
+"Regular expression that describes how to parse the string containing user "
+"name and domain into these components."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:126
+msgid ""
+"Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
+"which translates to \"the name is everything up to the <quote>@</quote> "
+"sign, the domain everything after that\""
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:131
+msgid ""
+"PLEASE NOTE: the support for non-unique named subpatterns is not available "
+"on all platforms (e.g. RHEL5 and SLES10). Only platforms with libpcre "
+"version 7 or higher can support non-unique named subpatterns."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:138
+msgid ""
+"PLEASE NOTE ALSO: older version of libpcre only support the Python syntax (?"
+"P&lt;name&gt;) to label subpatterns."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:145
+msgid "full_name_format (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:148
+msgid ""
+"A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
+"manvolnum> </citerefentry>-compatible format that describes how to translate "
+"a (name, domain) tuple into a fully qualified name."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:156
+msgid "Default: <quote>%1$s@%2$s</quote>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:161
+msgid "try_inotify (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:164
+msgid ""
+"SSSD monitors the state of resolv.conf to identify when it needs to update "
+"its internal DNS resolver. By default, we will attempt to use inotify for "
+"this, and will fall back to polling resolv.conf every five seconds if "
+"inotify cannot be used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:172
+msgid ""
+"There are some limited situations where it is preferred that we should skip "
+"even trying to use inotify. In these rare cases, this option should be set "
+"to 'false'"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:178
+msgid ""
+"Default: true on platforms where inotify is supported. False on other "
+"platforms."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:182
+msgid ""
+"Note: this option will have no effect on platforms where inotify is "
+"unavailable. On these platforms, polling will always be used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:189
+msgid "krb5_rcache_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:192
+msgid ""
+"Directory on the filesystem where SSSD should store Kerberos replay cache "
+"files."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:196
+msgid ""
+"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
+"SSSD to let libkrb5 decide the appropriate location for the replay cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:202
+msgid ""
+"Default: Distribution-specific and specified at build-time. "
+"(__LIBKRB5_DEFAULTS__ if not configured)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sssd.conf.5.xml:63
+msgid ""
+"Individual pieces of SSSD functionality are provided by special SSSD "
+"services that are started and stopped together with SSSD.  The services are "
+"managed by a special service frequently called <quote>monitor</quote>. The "
+"<quote>[sssd]</quote> section is used to configure the monitor as well as "
+"some other important options like the identity domains.  <placeholder type="
+"\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd.conf.5.xml:215
+msgid "SERVICES SECTIONS"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:217
+msgid ""
+"Settings that can be used to configure different services are described in "
+"this section. They should reside in the [<replaceable>$NAME</replaceable>] "
+"section, for example, for NSS service, the section would be <quote>[nss]</"
+"quote>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><title>
+#: sssd.conf.5.xml:224
+msgid "General service configuration options"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sssd.conf.5.xml:226
+msgid "These options can be used to configure any service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:230
+msgid "debug_level (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:233
+msgid ""
+"Sets the debug level for the service. The value can be in range from 0 (only "
+"critical messages) to 10 (very verbose)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:238 sssd.conf.5.xml:332
+msgid "Default: 0"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:243 sssd.8.xml:58
+msgid "debug_timestamps (bool)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:246 sssd.8.xml:61
+msgid "Add a timestamp to the debug messages"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:249 sssd.conf.5.xml:373 sssd-ldap.5.xml:1058
+#: sssd-ldap.5.xml:1163 sssd-ipa.5.xml:155
+msgid "Default: true"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:267
+msgid "command (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:270
+msgid ""
+"By default, the executable representing this service is called <command>sssd_"
+"${service_name}</command>.  This directive allows to change the executable "
+"name for the service. In the vast majority of configurations, the default "
+"values should suffice."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:278
+msgid "Default: <command>sssd_${service_name}</command>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><title>
+#: sssd.conf.5.xml:286
+msgid "NSS configuration options"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sssd.conf.5.xml:288
+msgid ""
+"These options can be used to configure the Name Service Switch (NSS) service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:293
+msgid "enum_cache_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:296
+msgid ""
+"How many seconds should nss_sss cache enumerations (requests for info about "
+"all users)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:300
+msgid "Default: 120"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:305
+msgid "entry_cache_nowait_percentage (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:308
+msgid ""
+"The entry cache can be set to automatically update entries in the background "
+"if they are requested beyond a percentage of the entry_cache_timeout value "
+"for the domain."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:314
+msgid ""
+"For example, if the domain's entry_cache_timeout is set to 30s and "
+"entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
+"after 15 seconds past the last cache update will be returned immediately, "
+"but the SSSD will go and update the cache on its own, so that future "
+"requests will not need to block waiting for a cache update."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:324
+msgid ""
+"Valid values for this option are 0-99 and represent a percentage of the "
+"entry_cache_timeout for each domain. For performance reasons, this "
+"percentage will never reduce the nowait timeout to less than 10 seconds.  (0 "
+"disables this feature)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:337
+msgid "entry_negative_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:340
+msgid ""
+"Specifies for how many seconds nss_sss should cache negative cache hits "
+"(that is, queries for invalid database entries, like nonexistent ones)  "
+"before asking the back end again."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:346 sssd-krb5.5.xml:223
+msgid "Default: 15"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:351
+msgid "filter_users, filter_groups (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:354
+msgid ""
+"Exclude certain users from being fetched from the sss NSS database. This is "
+"particularly useful for system accounts. This option can also be set per-"
+"domain or include fully-qualified names to filter only users from the "
+"particular domain."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:361
+msgid "Default: root"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:366
+msgid "filter_users_in_groups (bool)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:369
+msgid ""
+"If you want filtered user still be group members set this option to false."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:378
+msgid "override_homedir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:387 sssd-krb5.5.xml:166
+msgid "%u"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:388 sssd-krb5.5.xml:167
+msgid "login name"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:391 sssd-krb5.5.xml:170
+msgid "%U"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:392
+msgid "UID number"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:395 sssd-krb5.5.xml:188
+msgid "%d"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:396
+msgid "domain name"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:399
+msgid "%f"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:400
+msgid "fully qualified user name (user@domain)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:403 sssd-krb5.5.xml:200
+msgid "%%"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:404 sssd-krb5.5.xml:201
+msgid "a literal '%'"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:381
+msgid ""
+"Override the user's home directory. You can either provide an absolute value "
+"or a template. In the template, the following sequences are substituted: "
+"<placeholder type=\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:410
+msgid "This option can also be set per-domain."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:415
+msgid "allowed_shells (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:418
+msgid ""
+"Restrict user shell to one of the listed values. The order of evaluation is:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:421
+msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:425
+msgid ""
+"2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
+"quote>, use the value of the shell_fallback parameter."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:430
+msgid ""
+"3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
+"shells</quote>, a nologin shell is used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:435
+msgid "An empty string for shell is passed as-is to libc."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:438
+msgid ""
+"The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
+"that a restart of the SSSD is required in case a new shell is installed."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:442
+msgid "Default: Not set. The user shell is automatically used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:447
+msgid "vetoed_shells (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:450
+msgid "Replace any instance of these shells with the shell_fallback"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:455
+msgid "shell_fallback (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:458
+msgid ""
+"The default shell to use if an allowed shell is not installed on the machine."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:462
+msgid "Default: /bin/sh"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><title>
+#: sssd.conf.5.xml:469
+msgid "PAM configuration options"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sssd.conf.5.xml:471
+msgid ""
+"These options can be used to configure the Pluggable Authentication Module "
+"(PAM) service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:476
+msgid "offline_credentials_expiration (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:479
+msgid ""
+"If the authentication provider is offline, how long should we allow cached "
+"logins (in days since the last successful online login)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:484 sssd.conf.5.xml:497
+msgid "Default: 0 (No limit)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:490
+msgid "offline_failed_login_attempts (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:493
+msgid ""
+"If the authentication provider is offline, how many failed login attempts "
+"are allowed."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:503
+msgid "offline_failed_login_delay (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:506
+msgid ""
+"The time in minutes which has to pass after offline_failed_login_attempts "
+"has been reached before a new login attempt is possible."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:511
+msgid ""
+"If set to 0 the user cannot authenticate offline if "
+"offline_failed_login_attempts has been reached. Only a successful online "
+"authentication can enable enable offline authentication again."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:517 sssd.conf.5.xml:570 sssd.conf.5.xml:906
+msgid "Default: 5"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:523
+msgid "pam_verbosity (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:526
+msgid ""
+"Controls what kind of messages are shown to the user during authentication. "
+"The higher the number to more messages are displayed."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:531
+msgid "Currently sssd supports the following values:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:534
+msgid "<emphasis>0</emphasis>: do not show any message"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:537
+msgid "<emphasis>1</emphasis>: show only important messages"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:541
+msgid "<emphasis>2</emphasis>: show informational messages"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:544
+msgid "<emphasis>3</emphasis>: show all messages and debug information"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:548
+msgid "Default: 1"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:553
+msgid "pam_id_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:556
+msgid ""
+"For any PAM request while SSSD is online, the SSSD will attempt to "
+"immediately update the cached identity information for the user in order to "
+"ensure that authentication takes place with the latest information."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:562
+msgid ""
+"A complete PAM conversation may perform multiple PAM requests, such as "
+"account management and session opening. This option controls (on a per-"
+"client-application basis) how long (in seconds) we can cache the identity "
+"information to avoid excessive round-trips to the identity provider."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:576
+msgid "pam_pwd_expiration_warning (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:579
+msgid "Display a warning N days before the password expires."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:582
+msgid ""
+"Please note that the backend server has to provide information about the "
+"expiration time of the password.  If this information is missing, sssd "
+"cannot display a warning."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:588
+msgid "Default: 7"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd.conf.5.xml:597
+msgid "DOMAIN SECTIONS"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:604
+msgid "min_id,max_id (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:607
+msgid ""
+"UID and GID limits for the domain. If a domain contains an entry that is "
+"outside these limits, it is ignored."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:612
+msgid ""
+"For users, this affects the primary GID limit. The user will not be returned "
+"to NSS if either the UID or the primary GID is outside the range. For non-"
+"primary group memberships, those that are in range will be reported as "
+"expected."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:619
+msgid "Default: 1 for min_id, 0 (no limit) for max_id"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:625
+msgid "timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:628
+msgid ""
+"Timeout in seconds between heartbeats for this domain.  This is used to "
+"ensure that the backend process is alive and capable of answering requests."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:633
+msgid "Default: 10"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:639
+msgid "enumerate (bool)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:642
+msgid ""
+"Determines if a domain can be enumerated. This parameter can have one of the "
+"following values:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:646
+msgid "TRUE = Users and groups are enumerated"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:649
+msgid "FALSE = No enumerations for this domain"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:652 sssd.conf.5.xml:704 sssd.conf.5.xml:758
+msgid "Default: FALSE"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:655
+msgid ""
+"Note: Enabling enumeration has a moderate performance impact on SSSD while "
+"enumeration is running. It may take up to several minutes after SSSD startup "
+"to fully complete enumerations.  During this time, individual requests for "
+"information will go directly to LDAP, though it may be slow, due to the "
+"heavy enumeration processing."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:665
+msgid ""
+"While the first enumeration is running, requests for the complete user or "
+"group lists may return no results until it completes."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:670
+msgid ""
+"Further, enabling enumeration may increase the time necessary to detect "
+"network disconnection, as longer timeouts are required to ensure that "
+"enumeration lookups are completed successfully.  For more information, refer "
+"to the man pages for the specific id_provider in use."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:681
+msgid "entry_cache_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:684
+msgid ""
+"How many seconds should nss_sss consider entries valid before asking the "
+"backend again"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:688
+msgid "Default: 5400"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:693
+msgid "cache_credentials (bool)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:696
+msgid "Determines if user credentials are also cached in the local LDB cache"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:700
+msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:709
+msgid "account_cache_expiration (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:712
+msgid ""
+"Number of days entries are left in cache after last successful login before "
+"being removed during a cleanup of the cache. 0 means keep forever.  The "
+"value of this parameter must be greater than or equal to "
+"offline_credentials_expiration."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:719
+msgid "Default: 0 (unlimited)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:725
+msgid "id_provider (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:728
+msgid "The Data Provider identity backend to use for this domain."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:732
+msgid "Supported backends:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:735
+msgid "proxy: Support a legacy NSS provider"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:738
+msgid "local: SSSD internal local provider"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:741
+msgid "ldap: LDAP provider"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:747
+msgid "use_fully_qualified_names (bool)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:750
+msgid ""
+"If set to TRUE, all requests to this domain must use fully qualified names. "
+"For example, if used in LOCAL domain that contains a \"test\" user, "
+"<command>getent passwd test</command> wouldn't find the user while "
+"<command>getent passwd test@LOCAL</command> would."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:763
+msgid "auth_provider (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:766
+msgid ""
+"The authentication provider used for the domain.  Supported auth providers "
+"are:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:770
+msgid ""
+"<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
+"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+"citerefentry> for more information on configuring LDAP."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:777
+msgid ""
+"<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
+"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
+"citerefentry> for more information on configuring Kerberos."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:784
+msgid ""
+"<quote>proxy</quote> for relaying authentication to some other PAM target."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:787
+msgid "<quote>none</quote> disables authentication explicitly."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:790
+msgid ""
+"Default: <quote>id_provider</quote> is used if it is set and can handle "
+"authentication requests."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:796
+msgid "access_provider (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:799
+msgid ""
+"The access control provider used for the domain.  There are two built-in "
+"access providers (in addition to any included in installed backends)  "
+"Internal special providers are:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:805
+msgid "<quote>permit</quote> always allow access."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:808
+msgid "<quote>deny</quote> always deny access."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:811
+msgid ""
+"<quote>simple</quote> access control based on access or deny lists. See "
+"<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
+"manvolnum></citerefentry> for more information on configuring the simple "
+"access module."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:818
+msgid "Default: <quote>permit</quote>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:823
+msgid "chpass_provider (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:826
+msgid ""
+"The provider which should handle change password operations for the domain.  "
+"Supported change password providers are:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:831
+msgid ""
+"<quote>ipa</quote> to change a password stored in an IPA server.  See "
+"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> for more information on configuring IPA."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:839
+msgid ""
+"<quote>ldap</quote> to change a password stored in a LDAP server.  See "
+"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> for more information on configuring LDAP."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:847
+msgid ""
+"<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
+"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
+"citerefentry> for more information on configuring Kerberos."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:855
+msgid ""
+"<quote>proxy</quote> for relaying password changes to some other PAM target."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:859
+msgid "<quote>none</quote> disallows password changes explicitly."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:862
+msgid ""
+"Default: <quote>auth_provider</quote> is used if it is set and can handle "
+"change password requests."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:869
+msgid "lookup_family_order (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:872
+msgid ""
+"Provides the ability to select preferred address family to use when "
+"performing DNS lookups."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:876
+msgid "Supported values:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:879
+msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:882
+msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:885
+msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:888
+msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:891
+msgid "Default: ipv4_first"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:897
+msgid "dns_resolver_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:900
+msgid ""
+"Defines the amount of time (in seconds) to wait for a reply from the DNS "
+"resolver before assuming that it is unreachable. If this timeout is reached, "
+"the domain will continue to operate in offline mode."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:912
+msgid "dns_discovery_domain (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:915
+msgid ""
+"If service discovery is used in the back end, specifies the domain part of "
+"the service discovery DNS query."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:919
+msgid "Default: Use the domain part of machine's hostname"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:925
+msgid "override_gid (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:928
+msgid "Override the primary GID value with the one specified."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:599
+msgid ""
+"These configuration options can be present in a domain configuration "
+"section, that is, in a section called <quote>[domain/<replaceable>NAME</"
+"replaceable>]</quote> <placeholder type=\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:940
+msgid "proxy_pam_target (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:943
+msgid "The proxy target PAM proxies to."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:946
+msgid ""
+"Default: not set by default, you have to take an existing pam configuration "
+"or create a new one and add the service name here."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:954
+msgid "proxy_lib_name (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:957
+msgid ""
+"The name of the NSS library to use in proxy domains. The NSS functions "
+"searched for in the library are in the form of _nss_$(libName)_$(function), "
+"for example _nss_files_getpwent."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:936
+msgid ""
+"Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
+"\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><title>
+#: sssd.conf.5.xml:969
+msgid "The local domain section"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sssd.conf.5.xml:971
+msgid ""
+"This section contains settings for domain that stores users and groups in "
+"SSSD native database, that is, a domain that uses "
+"<replaceable>id_provider=local</replaceable>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:978
+msgid "default_shell (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:981
+msgid "The default shell for users created with SSSD userspace tools."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:985
+msgid "Default: <filename>/bin/bash</filename>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:990
+msgid "base_directory (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:993
+msgid ""
+"The tools append the login name to <replaceable>base_directory</replaceable> "
+"and use that as the home directory."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:998
+msgid "Default: <filename>/home</filename>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1003
+msgid "create_homedir (bool)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1006
+msgid ""
+"Indicate if a home directory should be created by default for new users.  "
+"Can be overridden on command line."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1010 sssd.conf.5.xml:1022
+msgid "Default: TRUE"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1015
+msgid "remove_homedir (bool)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1018
+msgid ""
+"Indicate if a home directory should be removed by default for deleted "
+"users.  Can be overridden on command line."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1027
+msgid "homedir_umask (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1030
+msgid ""
+"Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
+"<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
+"on a newly created home directory."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1038
+msgid "Default: 077"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1043
+msgid "skel_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1046
+msgid ""
+"The skeleton directory, which contains files and directories to be copied in "
+"the user's home directory, when the home directory is created by "
+"<citerefentry> <refentrytitle>sss_useradd</refentrytitle> <manvolnum>8</"
+"manvolnum> </citerefentry>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1056
+msgid "Default: <filename>/etc/skel</filename>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1061
+msgid "mail_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1064
+msgid ""
+"The mail spool directory. This is needed to manipulate the mailbox when its "
+"corresponding user account is modified or deleted.  If not specified, a "
+"default value is used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1071
+msgid "Default: <filename>/var/mail</filename>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1076
+msgid "userdel_cmd (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1079
+msgid ""
+"The command that is run after a user is removed.  The command us passed the "
+"username of the user being removed as the first and only parameter. The "
+"return code of the command is not taken into account."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1085
+msgid "Default: None, no command is run"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd.conf.5.xml:1095 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
+#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:408
+msgid "EXAMPLE"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd.conf.5.xml:1101
+#, no-wrap
+msgid ""
+"[sssd]\n"
+"domains = LDAP\n"
+"services = nss, pam\n"
+"config_file_version = 2\n"
+"\n"
+"[nss]\n"
+"filter_groups = root\n"
+"filter_users = root\n"
+"\n"
+"[pam]\n"
+"\n"
+"[domain/LDAP]\n"
+"id_provider = ldap\n"
+"ldap_uri = ldap://ldap.example.com\n"
+"ldap_search_base = dc=example,dc=com\n"
+"\n"
+"auth_provider = krb5\n"
+"krb5_server = kerberos.example.com\n"
+"krb5_realm = EXAMPLE.COM\n"
+"cache_credentials = true\n"
+"\n"
+"min_id = 10000\n"
+"max_id = 20000\n"
+"enumerate = False\n"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:1097
+msgid ""
+"The following example shows a typical SSSD config. It does not describe "
+"configuration of the domains themselves - refer to documentation on "
+"configuring domains for more details.  <placeholder type=\"programlisting\" "
+"id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:1132
+msgid ""
+"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
+"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_groupdel</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_groupmod</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_useradd</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_usermod</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>pam_sss</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd-ldap.5.xml:10 sssd-ldap.5.xml:16
+msgid "sssd-ldap"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ldap.5.xml:23
+msgid ""
+"This manual page describes the configuration of LDAP domains for "
+"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
+"</citerefentry>.  Refer to the <quote>FILE FORMAT</quote> section of the "
+"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> manual page for detailed syntax information."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ldap.5.xml:35
+msgid "You can configure SSSD to use more than one LDAP domain."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ldap.5.xml:38
+msgid ""
+"LDAP back end supports id, auth, access and chpass providers. If you want to "
+"authenticate against an LDAP server either TLS/SSL or LDAPS is required. "
+"<command>sssd</command> <emphasis>does not</emphasis> support authentication "
+"over an unencrypted channel.  If the LDAP server is used only as an identity "
+"provider, an encrypted channel is not needed. Please refer to "
+"<quote>ldap_access_filter</quote> config option for more information about "
+"using LDAP as an access provider."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:61
+#: sssd-krb5.5.xml:63
+msgid "CONFIGURATION OPTIONS"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:60
+msgid "ldap_uri (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:63
+msgid ""
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference. Refer to the <quote>FAILOVER</"
+"quote> section for more information on failover and server redundancy.  If "
+"not specified, service discovery is enabled. For more information, refer to "
+"the <quote>SERVICE DISCOVERY</quote> section."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:70
+msgid "The format of the URI must match the format defined in RFC 2732:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:73
+msgid "ldap[s]://&lt;host&gt;[:port]"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:76
+msgid ""
+"For explicit IPv6 addresses, &lt;host&gt; must be enclosed in brackets []"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:79
+msgid "example: ldap://[fc00::126:25]:389"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:85
+msgid "ldap_chpass_uri (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:88
+msgid ""
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference to change the password of a user. "
+"Refer to the <quote>FAILOVER</quote> section for more information on "
+"failover and server redundancy."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:95
+msgid "To enable service discovery ldap_chpass_dns_service_name must be set."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:99
+msgid "Default: empty, i.e. ldap_uri is used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:105
+msgid "ldap_search_base (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:108
+msgid "The default base DN to use for performing LDAP user operations."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:112
+msgid ""
+"Default: If not set the value of the defaultNamingContext or namingContexts "
+"attribute from the RootDSE of the LDAP server is used. If "
+"defaultNamingContext does not exists or has an empty value namingContexts is "
+"used.  The namingContexts attribute must have a single value with the DN of "
+"the search base of the LDAP server to make this work. Multiple values are "
+"are not supported."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:126
+msgid "ldap_schema (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:129
+msgid ""
+"Specifies the Schema Type in use on the target LDAP server.  Depending on "
+"the selected schema, the default attribute names retrieved from the servers "
+"may vary.  The way that some attributes are handled may also differ.  Three "
+"schema types are currently supported: rfc2307 rfc2307bis IPA The main "
+"difference between these schema types is how group memberships are recorded "
+"in the server.  With rfc2307, group members are listed by name in the "
+"<emphasis>memberUid</emphasis> attribute.  With rfc2307bis and IPA, group "
+"members are listed by DN and stored in the <emphasis>member</emphasis> "
+"attribute."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:148
+msgid "Default: rfc2307"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:154
+msgid "ldap_default_bind_dn (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:157
+msgid "The default bind DN to use for performing LDAP operations."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:164
+msgid "ldap_default_authtok_type (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:167
+msgid "The type of the authentication token of the default bind DN."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:171
+msgid "The two mechanisms currently supported are:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:174
+msgid "password"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:177
+msgid "obfuscated_password"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:180
+msgid "Default: password"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:186
+msgid "ldap_default_authtok (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:189
+msgid ""
+"The authentication token of the default bind DN.  Only clear text passwords "
+"are currently supported."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:196
+msgid "ldap_user_object_class (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:199
+msgid "The object class of a user entry in LDAP."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:202
+msgid "Default: posixAccount"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:208
+msgid "ldap_user_name (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:211
+msgid "The LDAP attribute that corresponds to the user's login name."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:215
+msgid "Default: uid"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:221
+msgid "ldap_user_uid_number (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:224
+msgid "The LDAP attribute that corresponds to the user's id."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:228
+msgid "Default: uidNumber"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:234
+msgid "ldap_user_gid_number (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:237
+msgid "The LDAP attribute that corresponds to the user's primary group id."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:241 sssd-ldap.5.xml:637
+msgid "Default: gidNumber"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:247
+msgid "ldap_user_gecos (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:250
+msgid "The LDAP attribute that corresponds to the user's gecos field."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:254
+msgid "Default: gecos"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:260
+msgid "ldap_user_home_directory (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:263
+msgid "The LDAP attribute that contains the name of the user's home directory."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:267
+msgid "Default: homeDirectory"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:273
+msgid "ldap_user_shell (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:276
+msgid "The LDAP attribute that contains the path to the user's default shell."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:280
+msgid "Default: loginShell"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:286
+msgid "ldap_user_uuid (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:289
+msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:293 sssd-ldap.5.xml:663 sssd-ldap.5.xml:756
+msgid "Default: nsUniqueId"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:299
+msgid "ldap_user_modify_timestamp (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:302 sssd-ldap.5.xml:672 sssd-ldap.5.xml:765
+msgid ""
+"The LDAP attribute that contains timestamp of the last modification of the "
+"parent object."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:306 sssd-ldap.5.xml:676 sssd-ldap.5.xml:769
+msgid "Default: modifyTimestamp"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:312
+msgid "ldap_user_shadow_last_change (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:315
+msgid ""
+"When using ldap_pwd_policy=shadow, this parameter contains the name of an "
+"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of "
+"the last password change)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:325
+msgid "Default: shadowLastChange"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:331
+msgid "ldap_user_shadow_min (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:334
+msgid ""
+"When using ldap_pwd_policy=shadow, this parameter contains the name of an "
+"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum "
+"password age)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:343
+msgid "Default: shadowMin"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:349
+msgid "ldap_user_shadow_max (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:352
+msgid ""
+"When using ldap_pwd_policy=shadow, this parameter contains the name of an "
+"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum "
+"password age)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:361
+msgid "Default: shadowMax"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:367
+msgid "ldap_user_shadow_warning (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:370
+msgid ""
+"When using ldap_pwd_policy=shadow, this parameter contains the name of an "
+"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart "
+"(password warning period)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:380
+msgid "Default: shadowWarning"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:386
+msgid "ldap_user_shadow_inactive (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:389
+msgid ""
+"When using ldap_pwd_policy=shadow, this parameter contains the name of an "
+"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart "
+"(password inactivity period)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:399
+msgid "Default: shadowInactive"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:405
+msgid "ldap_user_shadow_expire (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:408
+msgid ""
+"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this "
+"parameter contains the name of an LDAP attribute corresponding to its "
+"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> counterpart (account expiration date)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:418
+msgid "Default: shadowExpire"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:424
+msgid "ldap_user_krb_last_pwd_change (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:427
+msgid ""
+"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of "
+"an LDAP attribute storing the date and time of last password change in "
+"kerberos."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:433
+msgid "Default: krbLastPwdChange"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:439
+msgid "ldap_user_krb_password_expiration (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:442
+msgid ""
+"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of "
+"an LDAP attribute storing the date and time when current password expires."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:448
+msgid "Default: krbPasswordExpiration"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:454
+msgid "ldap_user_ad_account_expires (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:457
+msgid ""
+"When using ldap_account_expire_policy=ad, this parameter contains the name "
+"of an LDAP attribute storing the expiration time of the account."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:462
+msgid "Default: accountExpires"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:468
+msgid "ldap_user_ad_user_account_control (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:471
+msgid ""
+"When using ldap_account_expire_policy=ad, this parameter contains the name "
+"of an LDAP attribute storing the user account control bit field."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:476
+msgid "Default: userAccountControl"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:482
+msgid "ldap_ns_account_lock (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:485
+msgid ""
+"When using ldap_account_expire_policy=rhds or equivalent, this parameter "
+"determines if access is allowed or not."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:490
+msgid "Default: nsAccountLock"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:496
+msgid "ldap_user_principal (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:499
+msgid ""
+"The LDAP attribute that contains the user's Kerberos User Principal Name "
+"(UPN)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:503
+msgid "Default: krbPrincipalName"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:509
+msgid "ldap_force_upper_case_realm (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:512
+msgid ""
+"Some directory servers, for example Active Directory, might deliver the "
+"realm part of the UPN in lower case, which might cause the authentication to "
+"fail. Set this option to a non-zero value if you want to use an upper-case "
+"realm."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:519 sssd-ldap.5.xml:990 sssd-ipa.5.xml:115 sssd.8.xml:64
+#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:269
+msgid "Default: false"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:525
+msgid "ldap_enumeration_refresh_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:528
+msgid ""
+"The LDAP attribute that contains how many seconds SSSD has to wait before "
+"refreshing its cache of enumerated records."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:533
+msgid "Default: 300"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:539
+msgid "ldap_purge_cache_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:542
+msgid ""
+"Determine how often to check the cache for inactive entries (such as groups "
+"with no members and users who have never logged in) and remove them to save "
+"space."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:548
+msgid "Setting this option to zero will disable the cache cleanup operation."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:552
+msgid "Default: 10800 (12 hours)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:558
+msgid "ldap_user_fullname (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:561
+msgid "The LDAP attribute that corresponds to the user's full name."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:565 sssd-ldap.5.xml:624 sssd-ldap.5.xml:717
+msgid "Default: cn"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:571
+msgid "ldap_user_member_of (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:574
+msgid "The LDAP attribute that lists the user's group memberships."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:578
+msgid "Default: memberOf"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:584
+msgid "ldap_user_authorized_service (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:587
+msgid ""
+"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will "
+"use the presence of the authorizedService attribute in the user's LDAP entry "
+"to determine access privilege."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:594
+msgid ""
+"An explicit deny (!svc) is resolved first. Second, SSSD searches for "
+"explicit allow (svc) and finally for allow_all (*)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:599
+msgid "Default: authorizedService"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:605
+msgid "ldap_group_object_class (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:608
+msgid "The object class of a group entry in LDAP."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:611
+msgid "Default: posixGroup"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:617
+msgid "ldap_group_name (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:620
+msgid "The LDAP attribute that corresponds to the group name."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:630
+msgid "ldap_group_gid_number (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:633
+msgid "The LDAP attribute that corresponds to the group's id."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:643
+msgid "ldap_group_member (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:646
+msgid "The LDAP attribute that contains the names of the group's members."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:650
+msgid "Default: memberuid (rfc2307) / member (rfc2307bis)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:656
+msgid "ldap_group_uuid (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:659
+msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:669
+msgid "ldap_group_modify_timestamp (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:682
+msgid "ldap_group_nesting_level (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:685
+msgid ""
+"If ldap_schema is set to a schema format that supports nested groups (e.g. "
+"RFC2307bis), then this option controls how many levels of nesting SSSD will "
+"follow. This option has no effect on the RFC2307 schema."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:692
+msgid "Default: 2"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:698
+msgid "ldap_netgroup_object_class (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:701
+msgid "The object class of a netgroup entry in LDAP."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:704
+msgid "Default: nisNetgroup"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:710
+msgid "ldap_netgroup_name (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:713
+msgid "The LDAP attribute that corresponds to the netgroup name."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:723
+msgid "ldap_netgroup_member (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:726
+msgid "The LDAP attribute that contains the names of the netgroup's members."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:730
+msgid "Default: memberNisNetgroup"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:736
+msgid "ldap_netgroup_triple (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:739
+msgid ""
+"The LDAP attribute that contains the (host, user, domain) netgroup triples."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:743
+msgid "Default: nisNetgroupTriple"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:749
+msgid "ldap_netgroup_uuid (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:752
+msgid ""
+"The LDAP attribute that contains the UUID/GUID of an LDAP netgroup object."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:762
+msgid "ldap_netgroup_modify_timestamp (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:775
+msgid "ldap_search_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:778
+msgid ""
+"Specifies the timeout (in seconds) that ldap searches are allowed to run "
+"before they are cancelled and cached results are returned (and offline mode "
+"is entered)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:784
+msgid ""
+"Note: this option is subject to change in future versions of the SSSD. It "
+"will likely be replaced at some point by a series of timeouts for specific "
+"lookup types."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:790 sssd-ldap.5.xml:832 sssd-ldap.5.xml:847
+msgid "Default: 6"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:796
+msgid "ldap_enumeration_search_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:799
+msgid ""
+"Specifies the timeout (in seconds) that ldap searches for user and group "
+"enumerations are allowed to run before they are cancelled and cached results "
+"are returned (and offline mode is entered)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:806
+msgid "Default: 60"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:812
+msgid "ldap_network_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:815
+msgid ""
+"Specifies the timeout (in seconds) after which the <citerefentry> "
+"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/"
+"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</"
+"manvolnum> </citerefentry> following a <citerefentry> "
+"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </"
+"citerefentry> returns in case of no activity."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:838
+msgid "ldap_opt_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:841
+msgid ""
+"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs "
+"will abort if no response is received. Also controls the timeout when "
+"communicating with the KDC in case of SASL bind."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:853
+msgid "ldap_page_size (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:856
+msgid ""
+"Specify the number of records to retrieve from LDAP in a single request. "
+"Some LDAP servers enforce a maximum limit per-request."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:861
+msgid "Default: 1000"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:867
+msgid "ldap_tls_reqcert (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:870
+msgid ""
+"Specifies what checks to perform on server certificates in a TLS session, if "
+"any. It can be specified as one of the following values:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:876
+msgid ""
+"<emphasis>never</emphasis> = The client will not request or check any server "
+"certificate."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:880
+msgid ""
+"<emphasis>allow</emphasis> = The server certificate is requested. If no "
+"certificate is provided, the session proceeds normally. If a bad certificate "
+"is provided, it will be ignored and the session proceeds normally."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:887
+msgid ""
+"<emphasis>try</emphasis> = The server certificate is requested. If no "
+"certificate is provided, the session proceeds normally. If a bad certificate "
+"is provided, the session is immediately terminated."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:893
+msgid ""
+"<emphasis>demand</emphasis> = The server certificate is requested. If no "
+"certificate is provided, or a bad certificate is provided, the session is "
+"immediately terminated."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:899
+msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:903
+msgid "Default: hard"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:909
+msgid "ldap_tls_cacert (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:912
+msgid ""
+"Specifies the file that contains certificates for all of the Certificate "
+"Authorities that <command>sssd</command> will recognize."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:917 sssd-ldap.5.xml:935 sssd-ldap.5.xml:976
+msgid ""
+"Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap."
+"conf</filename>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:924
+msgid "ldap_tls_cacertdir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:927
+msgid ""
+"Specifies the path of a directory that contains Certificate Authority "
+"certificates in separate individual files. Typically the file names need to "
+"be the hash of the certificate followed by '.0'.  If available, "
+"<command>cacertdir_rehash</command> can be used to create the correct names."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:942
+msgid "ldap_tls_cert (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:945
+msgid "Specifies the file that contains the certificate for the client's key."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:359
+msgid "Default: not set"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:955
+msgid "ldap_tls_key (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:958
+msgid "Specifies the file that contains the client's key."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:967
+msgid "ldap_tls_cipher_suite (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:970
+msgid ""
+"Specifies acceptable cipher suites.  Typically this is a colon sperated "
+"list.  See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
+"<manvolnum>5</manvolnum></citerefentry> for format."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:983
+msgid "ldap_id_use_start_tls (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:986
+msgid ""
+"Specifies that the id_provider connection must also use <systemitem class="
+"\"protocol\">tls</systemitem> to protect the channel."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:996
+msgid "ldap_sasl_mech (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:999
+msgid ""
+"Specify the SASL mechanism to use.  Currently only GSSAPI is tested and "
+"supported."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1003 sssd-ldap.5.xml:1145
+msgid "Default: none"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1009
+msgid "ldap_sasl_authid (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1012
+msgid ""
+"Specify the SASL authorization id to use.  When GSSAPI is used, this "
+"represents the Kerberos principal used for authentication to the directory."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1017
+msgid "Default: host/machine.fqdn@REALM"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1023
+msgid "ldap_sasl_canonicalize (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1026
+msgid ""
+"If set to true, the LDAP library would perform a reverse lookup to "
+"canonicalize the host name during a SASL bind."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1031
+msgid "Default: false;"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1037
+msgid "ldap_krb5_keytab (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1040
+msgid "Specify the keytab to use when using SASL/GSSAPI."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1043
+msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1049
+msgid "ldap_krb5_init_creds (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1052
+msgid ""
+"Specifies that the id_provider should init Kerberos credentials (TGT).  This "
+"action is performed only if SASL is used and the mechanism selected is "
+"GSSAPI."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1064
+msgid "ldap_krb5_ticket_lifetime (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1067
+msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1071
+msgid "Default: 86400 (24 hours)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1077 sssd-krb5.5.xml:74
+msgid "krb5_server (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1080 sssd-krb5.5.xml:77
+msgid ""
+"Specifies the comma-separated list of IP addresses or hostnames of the "
+"Kerberos servers to which SSSD should connect in the order of preference. "
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
+"colon) may be appended to the addresses or hostnames.  If empty, service "
+"discovery is enabled - for more information, refer to the <quote>SERVICE "
+"DISCOVERY</quote> section."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1092 sssd-krb5.5.xml:89
+msgid ""
+"When using service discovery for KDC or kpasswd servers, SSSD first searches "
+"for DNS entries that specify _udp as the protocol and falls back to _tcp if "
+"none are found."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1097 sssd-krb5.5.xml:94
+msgid ""
+"This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. "
+"While the legacy name is recognized for the time being, users are advised to "
+"migrate their config files to use <quote>krb5_server</quote> instead."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1106 sssd-ipa.5.xml:165 sssd-krb5.5.xml:103
+msgid "krb5_realm (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1109
+msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1112
+msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1118
+msgid "ldap_pwd_policy (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1121
+msgid ""
+"Select the policy to evaluate the password expiration on the client side. "
+"The following values are allowed:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1126
+msgid ""
+"<emphasis>none</emphasis> - No evaluation on the client side. This option "
+"cannot disable server-side password policies."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1131
+msgid ""
+"<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</"
+"refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to "
+"evaluate if the password has expired.  Note that the current version of sssd "
+"cannot update this attribute during a password change."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1139
+msgid ""
+"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
+"to determine if the password has expired. Use chpass_provider=krb5 to update "
+"these attributes when the password is changed."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1151
+msgid "ldap_referrals (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1154
+msgid "Specifies whether automatic referral chasing should be enabled."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1158
+msgid ""
+"Please note that sssd only supports referral chasing when it is compiled "
+"with OpenLDAP version 2.4.13 or higher."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1169
+msgid "ldap_dns_service_name (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1172
+msgid "Specifies the service name to use when service discovery is enabled."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1176
+msgid "Default: ldap"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1182
+msgid "ldap_chpass_dns_service_name (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1185
+msgid ""
+"Specifies the service name to use to find an LDAP server which allows "
+"password changes when service discovery is enabled."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1190
+msgid "Default: not set, i.e. service discovery is disabled"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1196
+msgid "ldap_access_filter (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1199
+msgid ""
+"If using access_provider = ldap, this option is mandatory. It specifies an "
+"LDAP search filter criteria that must be met for the user to be granted "
+"access on this host. If access_provider = ldap and this option is not set, "
+"it will result in all users being denied access. Use access_provider = allow "
+"to change this default behavior."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1209
+msgid "Example:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
+#: sssd-ldap.5.xml:1212
+#, no-wrap
+msgid ""
+"access_provider = ldap\n"
+"ldap_access_filter = memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1216
+msgid ""
+"This example means that access to this host is restricted to members of the "
+"\"allowedusers\" group in ldap."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1221
+msgid ""
+"Offline caching for this feature is limited to determining whether the "
+"user's last online login was granted access permission. If they were granted "
+"access during their last login, they will continue to be granted access "
+"while offline and vice-versa."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1229 sssd-ldap.5.xml:1270
+msgid "Default: Empty"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1235
+msgid "ldap_account_expire_policy (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1238
+msgid ""
+"With this option a client side evaluation of access control attributes can "
+"be enabled."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1242
+msgid ""
+"Please note that it is always recommended to use server side access control, "
+"i.e. the LDAP server should deny the bind request with a suitable error code "
+"even if the password is correct."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1249
+msgid "The following values are allowed:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1252
+msgid ""
+"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
+"determine if the account is expired."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1257
+msgid ""
+"<emphasis>ad</emphasis>: use the value of the 32bit field "
+"ldap_user_ad_user_account_control and allow access if the second bit is not "
+"set. If the attribute is missing access is granted. Also the expiration time "
+"of the account is checked."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1264
+msgid ""
+"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</"
+"emphasis>: use the value of ldap_ns_account_lock to check if access is "
+"allowed or not."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1276
+msgid "ldap_access_order (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1279
+msgid "Comma separated list of access control options.  Allowed values are:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1283
+msgid "<emphasis>filter</emphasis>: use ldap_access_filter"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1286
+msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1290
+msgid ""
+"<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
+"to determine access"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1295
+msgid "Default: filter"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1298
+msgid ""
+"Please note that it is a configuration error if a value is used more than "
+"once."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1305
+msgid "ldap_deref (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1308
+msgid ""
+"Specifies how alias dereferencing is done when performing a search. The "
+"following options are allowed:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1313
+msgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1317
+msgid ""
+"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
+"the base object, but not in locating the base object of the search."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1322
+msgid ""
+"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
+"the base object of the search."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1327
+msgid ""
+"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
+"in locating the base object of the search."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1332
+msgid ""
+"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
+"client libraries)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ldap.5.xml:51
+msgid ""
+"All of the common configuration options that apply to SSSD domains also "
+"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section "
+"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> manual page for full details.  <placeholder type="
+"\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-ldap.5.xml:1344
+msgid "ADVANCED OPTIONS"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1351
+msgid "ldap_netgroup_search_base (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1354
+msgid ""
+"An optional base DN to restrict netgroup searches to a specific subtree."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1358 sssd-ldap.5.xml:1372 sssd-ldap.5.xml:1386
+msgid "Default: the value of <emphasis>ldap_search_base</emphasis>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1365
+msgid "ldap_user_search_base (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1368
+msgid "An optional base DN to restrict user searches to a specific subtree."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1379
+msgid "ldap_group_search_base (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1382
+msgid "An optional base DN to restrict group searches to a specific subtree."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ldap.5.xml:1346
+msgid ""
+"These options are supported by LDAP domains, but they should be used with "
+"caution. Please include them in your configuration only if you know what you "
+"are doing.  <placeholder type=\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ldap.5.xml:1402
+msgid ""
+"The following example assumes that SSSD is correctly configured and LDAP is "
+"set to one of the domains in the <replaceable>[domains]</replaceable> "
+"section."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-ldap.5.xml:1408
+#, no-wrap
+msgid ""
+"    [domain/LDAP]\n"
+"    id_provider = ldap\n"
+"    auth_provider = ldap\n"
+"    ldap_uri = ldap://ldap.mydomain.org\n"
+"    ldap_search_base = dc=mydomain,dc=org\n"
+"    ldap_tls_reqcert = demand\n"
+"    cache_credentials = true\n"
+"    enumerate = true\n"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ldap.5.xml:1407 sssd-simple.5.xml:134 sssd-ipa.5.xml:238
+#: sssd-krb5.5.xml:417
+msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-ldap.5.xml:1421 sssd_krb5_locator_plugin.8.xml:61
+msgid "NOTES"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ldap.5.xml:1423
+msgid ""
+"The descriptions of some of the configuration options in this manual page "
+"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 "
+"distribution."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ldap.5.xml:1434
+msgid ""
+"<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
+"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </citerefentry>"
+msgstr ""
+
+#. type: Content of: <refentryinfo>
+#: pam_sss.8.xml:8 include/upstream.xml:2
+msgid ""
+"<productname>SSSD</productname> <orgname>The SSSD upstream - http://"
+"fedorahosted.org/sssd</orgname>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: pam_sss.8.xml:13 pam_sss.8.xml:18
+msgid "pam_sss"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: pam_sss.8.xml:19
+msgid "PAM module for SSSD"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: pam_sss.8.xml:24
+msgid ""
+"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
+"arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: pam_sss.8.xml:45
+msgid ""
+"<command>pam_sss.so</command> is the PAM interface to the System Security "
+"Services daemon (SSSD). Errors and results are logged through <command>syslog"
+"(3)</command> with the LOG_AUTHPRIV facility."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:55
+msgid "<option>quiet</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:58
+msgid "Suppress log messages for unknown users."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:63
+msgid "<option>forward_pass</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:66
+msgid ""
+"If <option>forward_pass</option> is set the entered password is put on the "
+"stack for other PAM modules to use."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:73
+msgid "<option>use_first_pass</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:76
+msgid ""
+"The argument use_first_pass forces the module to use a previous stacked "
+"modules password and will never prompt the user - if no password is "
+"available or the password is not appropriate, the user will be denied access."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:84
+msgid "<option>use_authtok</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:87
+msgid ""
+"When password changing enforce the module to set the new password to the one "
+"provided by a previously stacked password module."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:94
+msgid "<option>retry=N</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:97
+msgid ""
+"If specified the user is asked another N times for a password if "
+"authentication fails. Default is 0."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:99
+msgid ""
+"Please note that this option might not work as expected if the application "
+"calling PAM handles the user dialog on its own. A typical example is "
+"<command>sshd</command> with <option>PasswordAuthentication</option>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: pam_sss.8.xml:110
+msgid "MODULE TYPES PROVIDED"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: pam_sss.8.xml:111
+msgid ""
+"All module types (<option>account</option>, <option>auth</option>, "
+"<option>password</option> and <option>session</option>) are provided."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: pam_sss.8.xml:117
+msgid "FILES"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: pam_sss.8.xml:118
+msgid ""
+"If a password reset by root fails, because the corresponding SSSD provider "
+"does not support password resets, an individual message can be displayed. "
+"This message can e.g. contain instructions about how to reset a password."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: pam_sss.8.xml:123
+msgid ""
+"The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
+"filename> where LOC stands for a locale string returned by <citerefentry> "
+"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </"
+"citerefentry>. If there is no matching file the content of "
+"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be "
+"the owner of the files and only root may have read and write permissions "
+"while all other users must have only read permisssions."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: pam_sss.8.xml:133
+msgid ""
+"These files are searched in the directory <filename>/etc/sssd/customize/"
+"DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
+"displayed."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: pam_sss.8.xml:141
+msgid ""
+"<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>8</"
+"manvolnum> </citerefentry>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15
+msgid "sssd_krb5_locator_plugin"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd_krb5_locator_plugin.8.xml:22
+msgid ""
+"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is "
+"used by the Kerberos provider of <citerefentry> <refentrytitle>sssd</"
+"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> to tell the Kerberos "
+"libraries what Realm and which KDC to use.  Typically this is done in "
+"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> which is always read by the Kerberos libraries. "
+"To simplyfy the configuration the Realm and the KDC can be defined in "
+"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> as described in <citerefentry> "
+"<refentrytitle>sssd-krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </"
+"citerefentry>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd_krb5_locator_plugin.8.xml:48
+msgid ""
+"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
+"</citerefentry> puts the Realm and the name or IP address of the KDC into "
+"the environment variables SSSD_KRB5_REALM and SSSD_KRB5_KDC respectively.  "
+"When <command>sssd_krb5_locator_plugin</command> is called by the kerberos "
+"libraries it reads and evaluates these variable and returns them to the "
+"libraries."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd_krb5_locator_plugin.8.xml:63
+msgid ""
+"Not all Kerberos implementations support the use of plugins. If "
+"<command>sssd_krb5_locator_plugin</command> is not available on your system "
+"you have to edit /etc/krb5.conf to reflect your Kerberos setup."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd_krb5_locator_plugin.8.xml:69
+msgid ""
+"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value "
+"debug messages will be sent to stderr."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd_krb5_locator_plugin.8.xml:77
+msgid ""
+"<citerefentry> <refentrytitle>sssd-krb5</refentrytitle><manvolnum>5</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd.conf</"
+"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </citerefentry>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd-simple.5.xml:10 sssd-simple.5.xml:16
+msgid "sssd-simple"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sssd-simple.5.xml:17
+msgid "the configuration file for SSSD's 'simple' access-control provider"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-simple.5.xml:24
+msgid ""
+"This manual page describes the configuration of the simple access-control "
+"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> "
+"<manvolnum>8</manvolnum> </citerefentry>.  For a detailed syntax reference, "
+"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> "
+"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
+"citerefentry> manual page."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-simple.5.xml:38
+msgid ""
+"The simple access provider grants or denies access based on an access or "
+"deny list of user or group names. The following rules apply:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
+#: sssd-simple.5.xml:43
+msgid "If all lists are empty, access is granted"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
+#: sssd-simple.5.xml:47
+msgid ""
+"If any list is provided, the order of evaluation is allow,deny. This means "
+"that any matching deny rule will supersede any matched allow rule."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
+#: sssd-simple.5.xml:54
+msgid ""
+"If either or both \"allow\" lists are provided, all users are denied unless "
+"they appear in the list."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
+#: sssd-simple.5.xml:60
+msgid ""
+"If only \"deny\" lists are provided, all users are granted access unless "
+"they appear in the list."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-simple.5.xml:78
+msgid "simple_allow_users (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-simple.5.xml:81
+msgid "Comma separated list of users who are allowed to log in."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-simple.5.xml:88
+msgid "simple_deny_users (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-simple.5.xml:91
+msgid "Comma separated list of users who are explicitly denied access."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-simple.5.xml:97
+msgid "simple_allow_groups (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-simple.5.xml:100
+msgid ""
+"Comma separated list of groups that are allowed to log in. This applies only "
+"to groups within this SSSD domain. Local groups are not evaluated."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-simple.5.xml:108
+msgid "simple_deny_groups (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-simple.5.xml:111
+msgid ""
+"Comma separated list of groups that are explicitly denied access. This "
+"applies only to groups within this SSSD domain. Local groups are not "
+"evaluated."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-simple.5.xml:70 sssd-ipa.5.xml:62
+msgid ""
+"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> "
+"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
+"citerefentry> manual page for details on the configuration of an SSSD "
+"domain.  <placeholder type=\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-simple.5.xml:120
+msgid ""
+"Please note that it is an configuration error if both, simple_allow_users "
+"and simple_deny_users, are defined."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-simple.5.xml:128
+msgid ""
+"The following example assumes that SSSD is correctly configured and example."
+"com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
+"This examples shows only the simple access provider-specific options."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-simple.5.xml:135
+#, no-wrap
+msgid ""
+"    [domain/example.com]\n"
+"    access_provider = simple\n"
+"    simple_allow_users = user1, user2\n"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-simple.5.xml:145
+msgid ""
+"<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16
+msgid "sssd-ipa"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ipa.5.xml:23
+msgid ""
+"This manual page describes the configuration of the IPA provider for "
+"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
+"</citerefentry>.  For a detailed syntax reference, refer to the <quote>FILE "
+"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ipa.5.xml:36
+msgid ""
+"The IPA provider is a back end used to connect to an IPA server.  (Refer to "
+"the freeipa.org web site for information about IPA servers.)  This provider "
+"requires that the machine be joined to the IPA domain; configuration is "
+"almost entirely self-discovered and obtained directly from the server."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ipa.5.xml:43
+msgid ""
+"The IPA provider accepts the same options used by the <citerefentry> "
+"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+"citerefentry> identity provider and the <citerefentry> <refentrytitle>sssd-"
+"krb5</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> authentication "
+"provider.  However, it is neither necessary nor recommended to set these "
+"options.  IPA provider can also be used as an access and chpass provider. As "
+"an access provider it uses HBAC (host-based access control) rules. Please "
+"refer to freeipa.org for more information about HBAC. No configuration of "
+"access provider is required on the client side."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:69
+msgid "ipa_domain (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:72
+msgid ""
+"Specifies the name of the IPA domain.  This is optional. If not provided, "
+"the configuration domain name is used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:80
+msgid "ipa_server (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:83
+msgid ""
+"The comma-separated list of IP addresses or hostnames of the IPA servers to "
+"which SSSD should connect in the order of preference. For more information "
+"on failover and server redundancy, see the <quote>FAILOVER</quote> section.  "
+"This is optional if autodiscovery is enabled.  For more information on "
+"service discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:96
+msgid "ipa_hostname (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:99
+msgid ""
+"Optional. May be set on machines where the hostname(5) does not reflect the "
+"fully qualified name used in the IPA domain to identify this host."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:107
+msgid "ipa_dyndns_update (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:110
+msgid ""
+"Optional. This option tells SSSD to automatically update the DNS server "
+"built into FreeIPA v2 with the IP address of this client."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:121
+msgid "ipa_dyndns_iface (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:124
+msgid ""
+"Optional. Applicable only when ipa_dyndns_update is true. Choose the "
+"interface whose IP address should be used for dynamic DNS updates."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:129
+msgid "Default: Use the IP address of the IPA LDAP connection"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:135
+msgid "ipa_hbac_search_base (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:138
+msgid "Optional. Use the given string as search base for HBAC related objects."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:142
+msgid "Default: Use base DN"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:148 sssd-krb5.5.xml:229
+msgid "krb5_validate (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:151 sssd-krb5.5.xml:232
+msgid ""
+"Verify with the help of krb5_keytab that the TGT obtained has not been "
+"spoofed."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:158
+msgid ""
+"Note that this default differs from the traditional Kerberos provider back "
+"end."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:168
+msgid ""
+"The name of the Kerberos realm. This is optional and defaults to the value "
+"of <quote>ipa_domain</quote>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:172
+msgid ""
+"The name of the Kerberos realm has a special meaning in IPA - it is "
+"converted into the base DN to use for performing LDAP operations."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:179
+msgid "ipa_hbac_refresh (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:182
+msgid ""
+"The amount of time between lookups of the HBAC rules against the IPA server. "
+"This will reduce the latency and load on the IPA server if there are many "
+"access-control requests made in a short period."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:189
+msgid "Default: 5 (seconds)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:194
+msgid "ipa_hbac_treat_deny_as (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:197
+msgid ""
+"This option specifies how to treat the deprecated DENY-type HBAC rules. As "
+"of FreeIPA v2.1, DENY rules are no longer supported on the server. All users "
+"of FreeIPA will need to migrate their rules to use only the ALLOW rules. The "
+"client will support two modes of operation during this transition period:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:206
+msgid ""
+"<emphasis>DENY_ALL</emphasis>: If any HBAC DENY rules are detected, all "
+"users will be denied access."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:211
+msgid ""
+"<emphasis>IGNORE</emphasis>: SSSD will ignore any DENY rules. Be very "
+"careful with this option, as it may result in opening unintended access."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:216
+msgid "Default: DENY_ALL"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ipa.5.xml:232
+msgid ""
+"The following example assumes that SSSD is correctly configured and example."
+"com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
+"This examples shows only the ipa provider-specific options."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-ipa.5.xml:239
+#, no-wrap
+msgid ""
+"    [domain/example.com]\n"
+"    id_provider = ipa\n"
+"    ipa_server = ipaserver.example.com\n"
+"    ipa_hostname = myhost.example.com\n"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ipa.5.xml:250
+msgid ""
+"<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
+"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sssd-krb5</refentrytitle><manvolnum>5</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sssd</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd.8.xml:10 sssd.8.xml:15
+msgid "sssd"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sssd.8.xml:16
+msgid "System Security Services Daemon"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: sssd.8.xml:21
+msgid ""
+"<command>sssd</command> <arg choice='opt'> <replaceable>options</"
+"replaceable> </arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.8.xml:31
+msgid ""
+"<command>SSSD</command> provides a set of daemons to manage access to remote "
+"directories and authentication mechanisms. It provides an NSS and PAM "
+"interface toward the system and a pluggable backend system to connect to "
+"multiple different account sources as well as D-Bus interface. It is also "
+"the basis to provide client auditing and policy services for projects like "
+"FreeIPA. It provides a more robust database to store local users as well as "
+"extended user data."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:46
+msgid ""
+"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</"
+"replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:51
+msgid ""
+"Debug level to run the daemon with. 0 is the default as well as the lowest "
+"allowed value, 10 is the most verbose mode. This setting overrides the "
+"settings from config file. This parameter implies <option>-i</option>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:70
+msgid "<option>-f</option>,<option>--debug-to-files</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:74
+msgid ""
+"Send the debug output to files instead of stderr. By default, the log files "
+"are stored in <filename>/var/log/sssd</filename> and there are separate log "
+"files for every SSSD service and domain."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:82
+msgid "<option>-D</option>,<option>--daemon</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:86
+msgid "Become a daemon after starting up."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:92
+msgid "<option>-i</option>,<option>--interactive</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:96
+msgid "Run in the foreground, don't become a daemon."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:102
+msgid "<option>-c</option>,<option>--config</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:106
+msgid ""
+"Specify a non-default config file. The default is <filename>/etc/sssd/sssd."
+"conf</filename>. For reference on the config file syntax and options, "
+"consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> manual page."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd.8.xml:122
+msgid "Signals"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:125
+msgid "SIGTERM/SIGINT"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:128
+msgid ""
+"Informs the SSSD to gracefully terminate all of its child processes and then "
+"shut down the monitor."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:134
+msgid "SIGHUP"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:137
+msgid ""
+"Tells the SSSD to stop writing to its current debug file descriptors and to "
+"close and reopen them. This is meant to facilitate log rolling with programs "
+"like logrotate."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:145
+msgid "SIGUSR1"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:148
+msgid ""
+"Tells the SSSD to simulate offline operation for one minute. This is mostly "
+"useful for testing purposes."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:154
+msgid "SIGUSR2"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:157
+msgid ""
+"Tells the SSSD to go online immediately. This is mostly useful for testing "
+"purposes."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.8.xml:168
+msgid ""
+"<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupadd</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_groupdel</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_groupmod</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_userdel</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15
+msgid "sss_obfuscate"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sss_obfuscate.8.xml:16
+msgid "obfuscate a clear text password"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: sss_obfuscate.8.xml:21
+msgid ""
+"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</"
+"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</"
+"replaceable></arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_obfuscate.8.xml:32
+msgid ""
+"<command>sss_obfuscate</command> converts a given password into human-"
+"unreadable format and places it into appropriate domain section of the SSSD "
+"config file."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_obfuscate.8.xml:37
+msgid ""
+"The cleartext password is read from standard input or entered "
+"interactively.  The obfuscated password is put into "
+"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the "
+"<quote>ldap_default_authtok_type</quote> parameter is set to "
+"<quote>obfuscated_password</quote>. Refer to <citerefentry> "
+"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+"citerefentry> for more details on these parameters."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_obfuscate.8.xml:49
+msgid ""
+"Please note that obfuscating the password provides <emphasis>no real "
+"security benefit</emphasis> as it is still possible for an attacker to "
+"reverse-engineer the password back. Using better authentication mechanisms "
+"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> "
+"advised."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_obfuscate.8.xml:63
+msgid "<option>-s</option>,<option>--stdin</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_obfuscate.8.xml:67
+msgid "The password to obfuscate will be read from standard input."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_obfuscate.8.xml:74
+msgid ""
+"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</"
+"replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_obfuscate.8.xml:79
+msgid ""
+"The SSSD domain to use the password in. The default name is <quote>default</"
+"quote>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_obfuscate.8.xml:86
+msgid ""
+"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_obfuscate.8.xml:91
+msgid "Read the config file specified by the positional parameter."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_obfuscate.8.xml:95
+msgid "Default: <filename>/etc/sssd/sssd.conf</filename>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_obfuscate.8.xml:105
+msgid ""
+"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sss_useradd.8.xml:10 sss_useradd.8.xml:15
+msgid "sss_useradd"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sss_useradd.8.xml:16
+msgid "create a new user"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: sss_useradd.8.xml:21
+msgid ""
+"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</"
+"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></"
+"arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_useradd.8.xml:32
+msgid ""
+"<command>sss_useradd</command> creates a new user account using the values "
+"specified on the command line plus the default values from the system."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_useradd.8.xml:43
+msgid ""
+"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_useradd.8.xml:48
+msgid ""
+"Set the UID of the user to the value of <replaceable>UID</replaceable>.  If "
+"not given, it is chosen automatically."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_useradd.8.xml:55 sss_usermod.8.xml:43
+msgid ""
+"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</"
+"replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_useradd.8.xml:60 sss_usermod.8.xml:48
+msgid ""
+"Any text string describing the user. Often used as the field for the user's "
+"full name."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_useradd.8.xml:67 sss_usermod.8.xml:55
+msgid ""
+"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</"
+"replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_useradd.8.xml:72
+msgid ""
+"The home directory of the user account.  The default is to append the "
+"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use "
+"that as the home directory.  The base that is prepended before "
+"<replaceable>LOGIN</replaceable> is tunable with <quote>user_defaults/"
+"baseDirectory</quote> setting in sssd.conf."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_useradd.8.xml:82 sss_usermod.8.xml:66
+msgid ""
+"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_useradd.8.xml:87
+msgid ""
+"The user's login shell. The default is currently <filename>/bin/bash</"
+"filename>.  The default can be changed with <quote>user_defaults/"
+"defaultShell</quote> setting in sssd.conf."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_useradd.8.xml:96
+msgid ""
+"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</"
+"replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_useradd.8.xml:101
+msgid "A list of existing groups this user is also a member of."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_useradd.8.xml:107
+msgid "<option>-m</option>,<option>--create-home</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_useradd.8.xml:111
+msgid ""
+"Create the user's home directory if it does not exist. The files and "
+"directories contained in the skeleton directory (which can be defined with "
+"the -k option or in the config file) will be copied to the home directory."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_useradd.8.xml:121
+msgid "<option>-M</option>,<option>--no-create-home</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_useradd.8.xml:125
+msgid ""
+"Do not create the user's home directory. Overrides configuration settings."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_useradd.8.xml:132
+msgid ""
+"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</"
+"replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_useradd.8.xml:137
+msgid ""
+"The skeleton directory, which contains files and directories to be copied in "
+"the user's home directory, when the home directory is created by "
+"<command>sss_useradd</command>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_useradd.8.xml:143
+msgid ""
+"This option is only valid if the <option>-m</option> (or <option>--create-"
+"home</option>) option is specified, or creation of home directories is set "
+"to TRUE in the configuration."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_useradd.8.xml:152 sss_usermod.8.xml:124
+msgid ""
+"<option>-Z</option>,<option>--selinux-user</option> "
+"<replaceable>SELINUX_USER</replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_useradd.8.xml:157
+msgid ""
+"The SELinux user for the user's login. If not specified, the system default "
+"will be used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_useradd.8.xml:169
+msgid ""
+"<citerefentry> <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupdel</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_groupmod</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_usermod</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16
+msgid "sssd-krb5"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-krb5.5.xml:23
+msgid ""
+"This manual page describes the configuration of the Kerberos 5 "
+"authentication backend for <citerefentry> <refentrytitle>sssd</"
+"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>.  For a detailed "
+"syntax reference, please refer to the <quote>FILE FORMAT</quote> section of "
+"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> manual page"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-krb5.5.xml:36
+msgid ""
+"The Kerberos 5 authentication backend contains auth and chpass providers. It "
+"must be paired with identity provider in order to function properly (for "
+"example, id_provider = ldap). Some information required by the Kerberos 5 "
+"authentication backend must be provided by the identity provider, such as "
+"the user's Kerberos Principal Name (UPN). The configuration of the identity "
+"provider should have an entry to specify the UPN. Please refer to the man "
+"page for the applicable identity provider for details on how to configure "
+"this."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-krb5.5.xml:47
+msgid ""
+"This backend also provides access control based on the .k5login file in the "
+"home directory of the user. See <citerefentry> <refentrytitle>.k5login</"
+"refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. "
+"Please note that an empty .k5login file will deny all access to this user. "
+"To activate this feature use 'access_provider = krb5' in your sssd "
+"configuration."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-krb5.5.xml:55
+msgid ""
+"In the case where the UPN is not available in the identity backend "
+"<command>sssd</command> will construct a UPN using the format "
+"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:106
+msgid ""
+"The name of the Kerberos realm. This option is required and must be "
+"specified."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:113
+msgid "krb5_kpasswd (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:116
+msgid ""
+"If the change password service is not running on the KDC alternative servers "
+"can be defined here. An optional port number (preceded by a colon) may be "
+"appended to the addresses or hostnames."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:122
+msgid ""
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section.  Please note that even if there are no more "
+"kpasswd servers to try the back end is not switch to offline if "
+"authentication against the KDC is still possible."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:129
+msgid "Default: Use the KDC"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:135
+msgid "krb5_ccachedir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:138
+msgid ""
+"Directory to store credential caches. All the substitution sequences of "
+"krb5_ccname_template can be used here, too, except %d and %P. If the "
+"directory does not exist it will be created. If %u, %U, %p or %h are used a "
+"private directory belonging to the user is created. Otherwise a public "
+"directory with restricted deletion flag (aka sticky bit, see <citerefentry> "
+"<refentrytitle>chmod</refentrytitle> <manvolnum>1</manvolnum> </"
+"citerefentry> for details) is created."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:151
+msgid "Default: /tmp"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:157
+msgid "krb5_ccname_template (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:171
+msgid "login UID"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:174
+msgid "%p"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:175
+msgid "principal name"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:179
+msgid "%r"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:180
+msgid "realm name"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:183
+msgid "%h"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:184
+msgid "home directory"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:189
+msgid "value of krb5ccache_dir"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:194
+msgid "%P"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:195
+msgid "the process ID of the sssd client"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:160
+msgid ""
+"Location of the user's credential cache. Currently only file based "
+"credential caches are supported. In the template the following sequences are "
+"substituted: <placeholder type=\"variablelist\" id=\"0\"/> If the template "
+"ends with 'XXXXXX' mkstemp(3) is used to create a unique filename in a safe "
+"way."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:209
+msgid "Default: FILE:%d/krb5cc_%U_XXXXXX"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:215
+msgid "krb5_auth_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:218
+msgid ""
+"Timeout in seconds after an online authentication or change password request "
+"is aborted. If possible the authentication request is continued offline."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:241
+msgid "krb5_keytab (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:244
+msgid ""
+"The location of the keytab to use when validating credentials obtained from "
+"KDCs."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:248
+msgid "Default: /etc/krb5.keytab"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:254
+msgid "krb5_store_password_if_offline (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:257
+msgid ""
+"Store the password of the user if the provider is offline and use it to "
+"request a TGT when the provider gets online again."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:262
+msgid ""
+"Please note that this feature currently only available on a Linux platform. "
+"Passwords stored in this way are kept in plaintext in the kernel keyring and "
+"are potentially accessible by the root user (with difficulty)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:275
+msgid "krb5_renewable_lifetime (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:278
+msgid ""
+"Request a renewable ticket with a total lifetime given by an integer "
+"immediately followed by one of the following delimiters:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
+msgid "<emphasis>s</emphasis> seconds"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
+msgid "<emphasis>m</emphasis> minutes"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
+msgid "<emphasis>h</emphasis> hours"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
+msgid "<emphasis>d</emphasis> days."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:295 sssd-krb5.5.xml:331
+msgid "If there is no delimiter <emphasis>s</emphasis> is assumed."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:299
+msgid ""
+"Please note that it is not possible to mix units.  If you want to set the "
+"renewable lifetime to one and a half hours please use '90m' instead of "
+"'1h30m'."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:305
+msgid "Default: not set, i.e. the TGT is not renewable"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:311
+msgid "krb5_lifetime (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:314
+msgid ""
+"Request ticket with a with a lifetime given by an integer immediately "
+"followed by one of the following delimiters:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:335
+msgid ""
+"Please note that it is not possible to mix units.  If you want to set the "
+"lifetime to one and a half hours please use '90m' instead of '1h30m'."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:340
+msgid ""
+"Default: not set, i.e. the default ticket lifetime configured on the KDC."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:347
+msgid "krb5_renew_interval (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:350
+msgid ""
+"The time in seconds between two checks if the TGT should be renewed. TGTs "
+"are renewed if about half of their lifetime is exceeded."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:355
+msgid "If this option is not set or 0 the automatic renewal is disabled."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:365
+msgid "krb5_use_fast (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:368
+msgid ""
+"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
+"authentication. The following options are supported:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:373
+msgid ""
+"<emphasis>never</emphasis> use FAST, this is equivalent to not set this "
+"option at all."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:377
+msgid ""
+"<emphasis>try</emphasis> to use FAST, if the server does not support fast "
+"continue without."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:381
+msgid ""
+"<emphasis>demand</emphasis> to use FAST, fail if the server does not require "
+"fast."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:385
+msgid "Default: not set, i.e. FAST is not used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:388
+msgid "Please note that a keytab is required to use fast."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:391
+msgid ""
+"Please note also that sssd supports fast only with MIT Kerberos version 1.8 "
+"and above. If sssd used used with an older version using this option is a "
+"configuration error."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-krb5.5.xml:65
+msgid ""
+"If the auth-module krb5 is used in a SSSD domain, the following options must "
+"be used. See the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> manual page, section <quote>DOMAIN "
+"SECTIONS</quote> for details on the configuration of a SSSD domain.  "
+"<placeholder type=\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-krb5.5.xml:410
+msgid ""
+"The following example assumes that SSSD is correctly configured and FOO is "
+"one of the domains in the <replaceable>[sssd]</replaceable> section. This "
+"example shows only configuration of Kerberos authentication, it does not "
+"include any identity provider."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-krb5.5.xml:418
+#, no-wrap
+msgid ""
+"    [domain/FOO]\n"
+"    auth_provider = krb5\n"
+"    krb5_server = 192.168.1.1\n"
+"    krb5_realm = EXAMPLE.COM\n"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-krb5.5.xml:429
+msgid ""
+"<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
+"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </citerefentry>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15
+msgid "sss_groupadd"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sss_groupadd.8.xml:16
+msgid "create a new group"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: sss_groupadd.8.xml:21
+msgid ""
+"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</"
+"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></"
+"arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_groupadd.8.xml:32
+msgid ""
+"<command>sss_groupadd</command> creates a new group. These groups are "
+"compatible with POSIX groups, with the additional feature that they can "
+"contain other groups as members."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_groupadd.8.xml:43
+msgid ""
+"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_groupadd.8.xml:48
+msgid ""
+"Set the GID of the group to the value of <replaceable>GID</replaceable>.  If "
+"not given, it is chosen automatically."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_groupadd.8.xml:60
+msgid ""
+"<citerefentry> <refentrytitle>sss_groupdel</refentrytitle><manvolnum>8</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupmod</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_useradd</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_usermod</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sss_userdel.8.xml:10 sss_userdel.8.xml:15
+msgid "sss_userdel"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sss_userdel.8.xml:16
+msgid "delete a user account"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: sss_userdel.8.xml:21
+msgid ""
+"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</"
+"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></"
+"arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_userdel.8.xml:32
+msgid ""
+"<command>sss_userdel</command> deletes a user identified by login name "
+"<replaceable>LOGIN</replaceable> from the system."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_userdel.8.xml:44
+msgid "<option>-r</option>,<option>--remove</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_userdel.8.xml:48
+msgid ""
+"Files in the user's home directory will be removed along with the home "
+"directory itself and the user's mail spool. Overrides the configuration."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_userdel.8.xml:56
+msgid "<option>-R</option>,<option>--no-remove</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_userdel.8.xml:60
+msgid ""
+"Files in the user's home directory will NOT be removed along with the home "
+"directory itself and the user's mail spool. Overrides the configuration."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_userdel.8.xml:68
+msgid "<option>-f</option>,<option>--force</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_userdel.8.xml:72
+msgid ""
+"This option forces <command>sss_userdel</command> to remove the user's home "
+"directory and mail spool, even if they are not owned by the specified user."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_userdel.8.xml:80
+msgid "<option>-k</option>,<option>--kick</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_userdel.8.xml:84
+msgid "Before actually deleting the user, terminate all his processes."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_userdel.8.xml:95
+msgid ""
+"<citerefentry> <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupdel</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_groupmod</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_groupshow</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_usermod</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15
+msgid "sss_groupdel"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sss_groupdel.8.xml:16
+msgid "delete a group"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: sss_groupdel.8.xml:21
+msgid ""
+"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</"
+"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></"
+"arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_groupdel.8.xml:32
+msgid ""
+"<command>sss_groupdel</command> deletes a group identified by its name "
+"<replaceable>GROUP</replaceable> from the system."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_groupdel.8.xml:48
+msgid ""
+"<citerefentry> <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupmod</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_useradd</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_usermod</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15
+msgid "sss_groupshow"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sss_groupshow.8.xml:16
+msgid "print properties of a group"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: sss_groupshow.8.xml:21
+msgid ""
+"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</"
+"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></"
+"arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_groupshow.8.xml:32
+msgid ""
+"<command>sss_groupshow</command> displays information about a group "
+"identified by its name <replaceable>GROUP</replaceable>. The information "
+"includes the group ID number, members of the group and the parent group."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_groupshow.8.xml:43
+msgid "<option>-R</option>,<option>--recursive</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_groupshow.8.xml:47
+msgid ""
+"Also print indirect group members in a tree-like hierarchy.  Note that this "
+"also affects printing parent groups - without <option>R</option>, only the "
+"direct parent will be printed."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_groupshow.8.xml:60
+msgid ""
+"<citerefentry> <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupmod</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_userdel</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sss_usermod.8.xml:10 sss_usermod.8.xml:15
+msgid "sss_usermod"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sss_usermod.8.xml:16
+msgid "modify a user account"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: sss_usermod.8.xml:21
+msgid ""
+"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</"
+"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></"
+"arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_usermod.8.xml:32
+msgid ""
+"<command>sss_usermod</command> modifies the account specified by "
+"<replaceable>LOGIN</replaceable> to reflect the changes that are specified "
+"on the command line."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_usermod.8.xml:60
+msgid "The home directory of the user account."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_usermod.8.xml:71
+msgid "The user's login shell."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_usermod.8.xml:82
+msgid ""
+"Append this user to groups specified by the <replaceable>GROUPS</"
+"replaceable> parameter.  The <replaceable>GROUPS</replaceable> parameter is "
+"a comma separated list of group names."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_usermod.8.xml:96
+msgid ""
+"Remove this user from groups specified by the <replaceable>GROUPS</"
+"replaceable> parameter."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_usermod.8.xml:103
+msgid "<option>-l</option>,<option>--lock</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_usermod.8.xml:107
+msgid "Lock the user account. The user won't be able to log in."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_usermod.8.xml:114
+msgid "<option>-u</option>,<option>--unlock</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_usermod.8.xml:118
+msgid "Unlock the user account."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_usermod.8.xml:129
+msgid "The SELinux user for the user's login."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_usermod.8.xml:140
+msgid ""
+"<citerefentry> <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</"
+"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupdel</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_groupmod</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_groupshow</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum> </"
+"citerefentry>, <citerefentry> <refentrytitle>sss_userdel</"
+"refentrytitle><manvolnum>8</manvolnum> </citerefentry>."
+msgstr ""
+
+#. type: Content of: <refsect1><title>
+#: include/service_discovery.xml:2
+msgid "SERVICE DISCOVERY"
+msgstr ""
+
+#. type: Content of: <refsect1><para>
+#: include/service_discovery.xml:4
+msgid ""
+"The service discovery feature allows back ends to automatically find the "
+"appropriate servers to connect to using a special DNS query."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/service_discovery.xml:9
+msgid "Configuration"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/service_discovery.xml:11
+msgid ""
+"If no servers are specified, the back end automatically uses service "
+"discovery to try to find a server. Optionally, the user may choose to use "
+"both fixed server addresses and service discovery by inserting a special "
+"keyword, <quote>_srv_</quote>, in the list of servers. The order of "
+"preference is maintained. This feature is useful if, for example, the user "
+"prefers to use service discovery whenever possible, and fall back to a "
+"specific server when no servers can be discovered using DNS."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/service_discovery.xml:23
+msgid "The domain name"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/service_discovery.xml:25
+msgid ""
+"Please refer to the <quote>dns_discovery_domain</quote> parameter in the "
+"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> manual page for more details."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/service_discovery.xml:35
+msgid "The protocol"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/service_discovery.xml:37
+msgid ""
+"The queries usually specify _tcp as the protocol. Exceptions are documented "
+"in respective option description."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/service_discovery.xml:42
+msgid "See Also"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/service_discovery.xml:44
+msgid ""
+"For more information on the service discovery mechanism, refer to RFC 2782."
+msgstr ""
+
+#. type: Content of: outside any tag (error?)
+#: include/upstream.xml:1
+msgid "<placeholder type=\"refentryinfo\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <refsect1><title>
+#: include/failover.xml:2
+msgid "FAILOVER"
+msgstr ""
+
+#. type: Content of: <refsect1><para>
+#: include/failover.xml:4
+msgid ""
+"The failover feature allows back ends to automatically switch to a different "
+"server if the primary server fails."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/failover.xml:8
+msgid "Failover Syntax"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/failover.xml:10
+msgid ""
+"The list of servers is given as a comma-separated list; any number of spaces "
+"is allowed around the comma. The servers are listed in order of preference. "
+"The list can contain any number of servers."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/failover.xml:17
+msgid "The Failover Mechanism"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/failover.xml:19
+msgid ""
+"The failover mechanism distinguishes between a machine and a service. The "
+"back end first tries to resolve the hostname of a given machine; if this "
+"resolution attempt fails, the machine is considered offline. No further "
+"attempts are made to connect to this machine for any other service. If the "
+"resolution attempt succeeds, the back end tries to connect to a service on "
+"this machine. If the service connection attempt fails, then only this "
+"particular service is considered offline and the back end automatically "
+"switches over to the next service.  The machine is still considered online "
+"and might still be tried for another service."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/failover.xml:32
+msgid ""
+"Further connection attempts are made to machines or services marked as "
+"offline after a specified period of time; this is currently hard coded to 30 "
+"seconds."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/failover.xml:37
+msgid ""
+"If there are no more machines to try, the back end as a whole switches to "
+"offline mode, and then attempts to reconnect every 30 seconds."
+msgstr ""
+
+#. type: Content of: <varlistentry><term>
+#: include/param_help.xml:3
+msgid "<option>-h</option>,<option>--help</option>"
+msgstr ""
+
+#. type: Content of: <varlistentry><listitem><para>
+#: include/param_help.xml:7
+msgid "Display help message and exit."
+msgstr ""
diff --git a/src/man/po/vi_VN.po b/src/man/po/vi_VN.po
index 596d3068..ccb633a7 100644
--- a/src/man/po/vi_VN.po
+++ b/src/man/po/vi_VN.po
@@ -2,15 +2,15 @@
 # Copyright (C) YEAR Red Hat
 # This file is distributed under the same license as the sssd-docs package.
 #
+# Translators:
 msgid ""
 msgstr ""
 "Project-Id-Version: SSSD\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2011-08-29 10:42-0300\n"
-"PO-Revision-Date: 2011-08-05 11:37+0000\n"
+"POT-Creation-Date: 2011-10-18 13:34-0300\n"
+"PO-Revision-Date: 2010-12-23 15:35+0000\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
-"Language-Team: Vietnamese (Viet Nam) (http://www.transifex.net/projects/p/"
-"fedora/team/vi_VN/)\n"
+"Language-Team: LANGUAGE <LL@li.org>\n"
 "Language: vi_VN\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
@@ -53,7 +53,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:41
+#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:44
 #: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21
 #: sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_useradd.8.xml:30
 #: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30
@@ -69,7 +69,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:39 pam_sss.8.xml:48 sssd.8.xml:42 sss_obfuscate.8.xml:58
+#: sss_groupmod.8.xml:39 pam_sss.8.xml:51 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
 msgid "OPTIONS"
@@ -105,10 +105,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1106 sssd-ldap.5.xml:1432
-#: pam_sss.8.xml:128 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
+#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1130 sssd-ldap.5.xml:1432
+#: pam_sss.8.xml:139 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
 #: sssd-ipa.5.xml:248 sssd.8.xml:166 sss_obfuscate.8.xml:103
-#: sss_useradd.8.xml:167 sssd-krb5.5.xml:424 sss_groupadd.8.xml:58
+#: sss_useradd.8.xml:167 sssd-krb5.5.xml:427 sss_groupadd.8.xml:58
 #: sss_userdel.8.xml:93 sss_groupdel.8.xml:46 sss_groupshow.8.xml:58
 #: sss_usermod.8.xml:138
 msgid "SEE ALSO"
@@ -214,7 +214,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:70 sssd.conf.5.xml:952
+#: sssd.conf.5.xml:70 sssd.conf.5.xml:976
 msgid "Section parameters"
 msgstr ""
 
@@ -247,19 +247,19 @@ msgid "Supported services: nss, pam"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:93 sssd.conf.5.xml:234
+#: sssd.conf.5.xml:93 sssd.conf.5.xml:254
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:96 sssd.conf.5.xml:237
+#: sssd.conf.5.xml:96 sssd.conf.5.xml:257
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:101 sssd.conf.5.xml:242
+#: sssd.conf.5.xml:101 sssd.conf.5.xml:262
 msgid "Default: 3"
 msgstr ""
 
@@ -366,6 +366,32 @@ msgid ""
 "unavailable. On these platforms, polling will always be used."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:189
+msgid "krb5_rcache_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:192
+msgid ""
+"Directory on the filesystem where SSSD should store Kerberos replay cache "
+"files."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:196
+msgid ""
+"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
+"SSSD to let libkrb5 decide the appropriate location for the replay cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:202
+msgid ""
+"Default: Distribution-specific and specified at build-time. "
+"(__LIBKRB5_DEFAULTS__ if not configured)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:63
 msgid ""
@@ -378,12 +404,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:195
+#: sssd.conf.5.xml:215
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:197
+#: sssd.conf.5.xml:217
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -392,55 +418,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:204
+#: sssd.conf.5.xml:224
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:206
+#: sssd.conf.5.xml:226
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:210
+#: sssd.conf.5.xml:230
 msgid "debug_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:213
+#: sssd.conf.5.xml:233
 msgid ""
 "Sets the debug level for the service. The value can be in range from 0 (only "
 "critical messages) to 10 (very verbose)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:218 sssd.conf.5.xml:312
+#: sssd.conf.5.xml:238 sssd.conf.5.xml:332
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:223 sssd.8.xml:58
+#: sssd.conf.5.xml:243 sssd.8.xml:58
 msgid "debug_timestamps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:226 sssd.8.xml:61
+#: sssd.conf.5.xml:246 sssd.8.xml:61
 msgid "Add a timestamp to the debug messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:229 sssd.conf.5.xml:353 sssd-ldap.5.xml:1058
+#: sssd.conf.5.xml:249 sssd.conf.5.xml:373 sssd-ldap.5.xml:1058
 #: sssd-ldap.5.xml:1163 sssd-ipa.5.xml:155
 msgid "Default: true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:247
+#: sssd.conf.5.xml:267
 msgid "command (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:250
+#: sssd.conf.5.xml:270
 msgid ""
 "By default, the executable representing this service is called <command>sssd_"
 "${service_name}</command>.  This directive allows to change the executable "
@@ -449,45 +475,45 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:258
+#: sssd.conf.5.xml:278
 msgid "Default: <command>sssd_${service_name}</command>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:266
+#: sssd.conf.5.xml:286
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:268
+#: sssd.conf.5.xml:288
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:273
+#: sssd.conf.5.xml:293
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:276
+#: sssd.conf.5.xml:296
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:280
+#: sssd.conf.5.xml:300
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:285
+#: sssd.conf.5.xml:305
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:288
+#: sssd.conf.5.xml:308
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -495,7 +521,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:294
+#: sssd.conf.5.xml:314
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -505,7 +531,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304
+#: sssd.conf.5.xml:324
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -514,12 +540,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:317
+#: sssd.conf.5.xml:337
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:320
+#: sssd.conf.5.xml:340
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -527,17 +553,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:326 sssd-krb5.5.xml:223
+#: sssd.conf.5.xml:346 sssd-krb5.5.xml:223
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:331
+#: sssd.conf.5.xml:351
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:334
+#: sssd.conf.5.xml:354
 msgid ""
 "Exclude certain users from being fetched from the sss NSS database. This is "
 "particularly useful for system accounts. This option can also be set per-"
@@ -546,78 +572,78 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:341
+#: sssd.conf.5.xml:361
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:346
+#: sssd.conf.5.xml:366
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:369
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:358
+#: sssd.conf.5.xml:378
 msgid "override_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:367 sssd-krb5.5.xml:166
+#: sssd.conf.5.xml:387 sssd-krb5.5.xml:166
 msgid "%u"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:368 sssd-krb5.5.xml:167
+#: sssd.conf.5.xml:388 sssd-krb5.5.xml:167
 msgid "login name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:371 sssd-krb5.5.xml:170
+#: sssd.conf.5.xml:391 sssd-krb5.5.xml:170
 msgid "%U"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:392
 msgid "UID number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:375 sssd-krb5.5.xml:188
+#: sssd.conf.5.xml:395 sssd-krb5.5.xml:188
 msgid "%d"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:376
+#: sssd.conf.5.xml:396
 msgid "domain name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:379
+#: sssd.conf.5.xml:399
 msgid "%f"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:380
+#: sssd.conf.5.xml:400
 msgid "fully qualified user name (user@domain)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:383 sssd-krb5.5.xml:200
+#: sssd.conf.5.xml:403 sssd-krb5.5.xml:200
 msgid "%%"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:384 sssd-krb5.5.xml:201
+#: sssd.conf.5.xml:404 sssd-krb5.5.xml:201
 msgid "a literal '%'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:361
+#: sssd.conf.5.xml:381
 msgid ""
 "Override the user's home directory. You can either provide an absolute value "
 "or a template. In the template, the following sequences are substituted: "
@@ -625,138 +651,138 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:390
+#: sssd.conf.5.xml:410
 msgid "This option can also be set per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:395
+#: sssd.conf.5.xml:415
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:398
+#: sssd.conf.5.xml:418
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:401
+#: sssd.conf.5.xml:421
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:405
+#: sssd.conf.5.xml:425
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:410
+#: sssd.conf.5.xml:430
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:415
+#: sssd.conf.5.xml:435
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:418
+#: sssd.conf.5.xml:438
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:422
+#: sssd.conf.5.xml:442
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:427
+#: sssd.conf.5.xml:447
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:430
+#: sssd.conf.5.xml:450
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:435
+#: sssd.conf.5.xml:455
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:438
+#: sssd.conf.5.xml:458
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:442
+#: sssd.conf.5.xml:462
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:469
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:451
+#: sssd.conf.5.xml:471
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:456
+#: sssd.conf.5.xml:476
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:459
+#: sssd.conf.5.xml:479
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:464 sssd.conf.5.xml:477
+#: sssd.conf.5.xml:484 sssd.conf.5.xml:497
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:490
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:473
+#: sssd.conf.5.xml:493
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:483
+#: sssd.conf.5.xml:503
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:506
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:491
+#: sssd.conf.5.xml:511
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -764,59 +790,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:497 sssd.conf.5.xml:550 sssd.conf.5.xml:882
+#: sssd.conf.5.xml:517 sssd.conf.5.xml:570 sssd.conf.5.xml:906
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:523
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:506
+#: sssd.conf.5.xml:526
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:511
+#: sssd.conf.5.xml:531
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:514
+#: sssd.conf.5.xml:534
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:517
+#: sssd.conf.5.xml:537
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:541
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:524
+#: sssd.conf.5.xml:544
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:528
+#: sssd.conf.5.xml:548
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:533
+#: sssd.conf.5.xml:553
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:536
+#: sssd.conf.5.xml:556
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -824,7 +850,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:542
+#: sssd.conf.5.xml:562
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -833,17 +859,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:556
+#: sssd.conf.5.xml:576
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:559
+#: sssd.conf.5.xml:579
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:562
+#: sssd.conf.5.xml:582
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -851,29 +877,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:588
 msgid "Default: 7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:577
+#: sssd.conf.5.xml:597
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:584
+#: sssd.conf.5.xml:604
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:587
+#: sssd.conf.5.xml:607
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:592
+#: sssd.conf.5.xml:612
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -882,56 +908,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:599
+#: sssd.conf.5.xml:619
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:625
 msgid "timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:608
+#: sssd.conf.5.xml:628
 msgid ""
 "Timeout in seconds between heartbeats for this domain.  This is used to "
 "ensure that the backend process is alive and capable of answering requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:633
 msgid "Default: 10"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:639
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:642
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:626
+#: sssd.conf.5.xml:646
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:629
+#: sssd.conf.5.xml:649
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:632 sssd.conf.5.xml:680 sssd.conf.5.xml:734
+#: sssd.conf.5.xml:652 sssd.conf.5.xml:704 sssd.conf.5.xml:758
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:635
+#: sssd.conf.5.xml:655
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -941,14 +967,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:645
+#: sssd.conf.5.xml:665
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:650
+#: sssd.conf.5.xml:670
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -957,39 +983,44 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:661
+#: sssd.conf.5.xml:681
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:664
+#: sssd.conf.5.xml:684
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:688
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:693
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676
+#: sssd.conf.5.xml:696
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:700
+msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:685
+#: sssd.conf.5.xml:709
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:688
+#: sssd.conf.5.xml:712
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -998,47 +1029,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:695
+#: sssd.conf.5.xml:719
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:725
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:728
 msgid "The Data Provider identity backend to use for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:708
+#: sssd.conf.5.xml:732
 msgid "Supported backends:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:711
+#: sssd.conf.5.xml:735
 msgid "proxy: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:714
+#: sssd.conf.5.xml:738
 msgid "local: SSSD internal local provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:717
+#: sssd.conf.5.xml:741
 msgid "ldap: LDAP provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:747
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:750
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -1047,19 +1078,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:739
+#: sssd.conf.5.xml:763
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:766
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:746
+#: sssd.conf.5.xml:770
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1067,7 +1098,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:777
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1075,30 +1106,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:784
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:787
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:766
+#: sssd.conf.5.xml:790
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:796
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:775
+#: sssd.conf.5.xml:799
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -1106,17 +1137,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:781
+#: sssd.conf.5.xml:805
 msgid "<quote>permit</quote> always allow access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:784
+#: sssd.conf.5.xml:808
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:811
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -1125,24 +1156,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:818
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:823
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:826
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:831
 msgid ""
 "<quote>ipa</quote> to change a password stored in an IPA server.  See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -1150,7 +1181,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:815
+#: sssd.conf.5.xml:839
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -1158,7 +1189,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:823
+#: sssd.conf.5.xml:847
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1166,72 +1197,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:831
+#: sssd.conf.5.xml:855
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:835
+#: sssd.conf.5.xml:859
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838
+#: sssd.conf.5.xml:862
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:845
+#: sssd.conf.5.xml:869
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:848
+#: sssd.conf.5.xml:872
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:876
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:855
+#: sssd.conf.5.xml:879
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:858
+#: sssd.conf.5.xml:882
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:861
+#: sssd.conf.5.xml:885
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:864
+#: sssd.conf.5.xml:888
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:867
+#: sssd.conf.5.xml:891
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:873
+#: sssd.conf.5.xml:897
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:876
+#: sssd.conf.5.xml:900
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -1239,34 +1270,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:912
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:891
+#: sssd.conf.5.xml:915
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:919
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:901
+#: sssd.conf.5.xml:925
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:904
+#: sssd.conf.5.xml:928
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:579
+#: sssd.conf.5.xml:599
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -1274,29 +1305,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:940
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:943
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:922
+#: sssd.conf.5.xml:946
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:954
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:933
+#: sssd.conf.5.xml:957
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -1304,19 +1335,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:912
+#: sssd.conf.5.xml:936
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:945
+#: sssd.conf.5.xml:969
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:971
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -1324,73 +1355,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:954
+#: sssd.conf.5.xml:978
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:981
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:985
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:966
+#: sssd.conf.5.xml:990
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:969
+#: sssd.conf.5.xml:993
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974
+#: sssd.conf.5.xml:998
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1003
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1006
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986 sssd.conf.5.xml:998
+#: sssd.conf.5.xml:1010 sssd.conf.5.xml:1022
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:991
+#: sssd.conf.5.xml:1015
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:994
+#: sssd.conf.5.xml:1018
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1003
+#: sssd.conf.5.xml:1027
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1030
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -1398,17 +1429,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014
+#: sssd.conf.5.xml:1038
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1043
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1022
+#: sssd.conf.5.xml:1046
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -1417,17 +1448,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:1056
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1037
+#: sssd.conf.5.xml:1061
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1040
+#: sssd.conf.5.xml:1064
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -1435,17 +1466,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1047
+#: sssd.conf.5.xml:1071
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1076
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1055
+#: sssd.conf.5.xml:1079
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -1453,18 +1484,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1061
+#: sssd.conf.5.xml:1085
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1071 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
-#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:405
+#: sssd.conf.5.xml:1095 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
+#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:408
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:1077
+#: sssd.conf.5.xml:1101
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -1494,7 +1525,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1073
+#: sssd.conf.5.xml:1097
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -1503,7 +1534,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1108
+#: sssd.conf.5.xml:1132
 msgid ""
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
@@ -1603,10 +1634,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:88
 msgid ""
-"Specifies the list of URIs of the LDAP servers to which SSSD should connect "
-"in the order of preference to change the password of a user. Refer to the "
-"<quote>FAILOVER</quote> section for more information on failover and server "
-"redundancy."
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference to change the password of a user. "
+"Refer to the <quote>FAILOVER</quote> section for more information on "
+"failover and server redundancy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -2086,7 +2117,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:519 sssd-ldap.5.xml:990 sssd-ipa.5.xml:115 sssd.8.xml:64
-#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:266
+#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:269
 msgid "Default: false"
 msgstr ""
 
@@ -2527,7 +2558,7 @@ msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:356
+#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:359
 msgid "Default: not set"
 msgstr ""
 
@@ -2668,12 +2699,13 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:1080 sssd-krb5.5.xml:77
 msgid ""
-"Specifies the list of IP addresses or hostnames of the Kerberos servers to "
-"which SSSD should connect in the order of preference. For more information "
-"on failover and server redundancy, see the <quote>FAILOVER</quote> section. "
-"An optional port number (preceded by a colon) may be appended to the "
-"addresses or hostnames.  If empty, service discovery is enabled - for more "
-"information, refer to the <quote>SERVICE DISCOVERY</quote> section."
+"Specifies the comma-separated list of IP addresses or hostnames of the "
+"Kerberos servers to which SSSD should connect in the order of preference. "
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
+"colon) may be appended to the addresses or hostnames.  If empty, service "
+"discovery is enabled - for more information, refer to the <quote>SERVICE "
+"DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -3058,7 +3090,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ldap.5.xml:1407 sssd-simple.5.xml:134 sssd-ipa.5.xml:238
-#: sssd-krb5.5.xml:414
+#: sssd-krb5.5.xml:417
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -3105,7 +3137,8 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
 #: pam_sss.8.xml:24
 msgid ""
-"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>forward_pass</"
+"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
@@ -3113,7 +3146,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:42
+#: pam_sss.8.xml:45
 msgid ""
 "<command>pam_sss.so</command> is the PAM interface to the System Security "
 "Services daemon (SSSD). Errors and results are logged through <command>syslog"
@@ -3121,24 +3154,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:52
+#: pam_sss.8.xml:55
+msgid "<option>quiet</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:58
+msgid "Suppress log messages for unknown users."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:63
 msgid "<option>forward_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:55
+#: pam_sss.8.xml:66
 msgid ""
 "If <option>forward_pass</option> is set the entered password is put on the "
 "stack for other PAM modules to use."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:62
+#: pam_sss.8.xml:73
 msgid "<option>use_first_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:65
+#: pam_sss.8.xml:76
 msgid ""
 "The argument use_first_pass forces the module to use a previous stacked "
 "modules password and will never prompt the user - if no password is "
@@ -3146,31 +3189,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:73
+#: pam_sss.8.xml:84
 msgid "<option>use_authtok</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:76
+#: pam_sss.8.xml:87
 msgid ""
 "When password changing enforce the module to set the new password to the one "
 "provided by a previously stacked password module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:83
+#: pam_sss.8.xml:94
 msgid "<option>retry=N</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:86
+#: pam_sss.8.xml:97
 msgid ""
 "If specified the user is asked another N times for a password if "
 "authentication fails. Default is 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:88
+#: pam_sss.8.xml:99
 msgid ""
 "Please note that this option might not work as expected if the application "
 "calling PAM handles the user dialog on its own. A typical example is "
@@ -3178,24 +3221,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:99
+#: pam_sss.8.xml:110
 msgid "MODULE TYPES PROVIDED"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:100
+#: pam_sss.8.xml:111
 msgid ""
 "All module types (<option>account</option>, <option>auth</option>, "
 "<option>password</option> and <option>session</option>) are provided."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:106
+#: pam_sss.8.xml:117
 msgid "FILES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:107
+#: pam_sss.8.xml:118
 msgid ""
 "If a password reset by root fails, because the corresponding SSSD provider "
 "does not support password resets, an individual message can be displayed. "
@@ -3203,7 +3246,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:112
+#: pam_sss.8.xml:123
 msgid ""
 "The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
 "filename> where LOC stands for a locale string returned by <citerefentry> "
@@ -3215,7 +3258,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:122
+#: pam_sss.8.xml:133
 msgid ""
 "These files are searched in the directory <filename>/etc/sssd/customize/"
 "DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
@@ -3223,7 +3266,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:130
+#: pam_sss.8.xml:141
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>8</"
 "manvolnum> </citerefentry>"
@@ -3483,11 +3526,11 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ipa.5.xml:83
 msgid ""
-"The list of IP addresses or hostnames of the IPA servers to which SSSD "
-"should connect in the order of preference. For more information on failover "
-"and server redundancy, see the <quote>FAILOVER</quote> section.  This is "
-"optional if autodiscovery is enabled.  For more information on service "
-"discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
+"The comma-separated list of IP addresses or hostnames of the IPA servers to "
+"which SSSD should connect in the order of preference. For more information "
+"on failover and server redundancy, see the <quote>FAILOVER</quote> section.  "
+"This is optional if autodiscovery is enabled.  For more information on "
+"service discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
@@ -4303,48 +4346,50 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:262
 msgid ""
-"Please note that this feature currently only available on a Linux platform."
+"Please note that this feature currently only available on a Linux platform. "
+"Passwords stored in this way are kept in plaintext in the kernel keyring and "
+"are potentially accessible by the root user (with difficulty)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:272
+#: sssd-krb5.5.xml:275
 msgid "krb5_renewable_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:275
+#: sssd-krb5.5.xml:278
 msgid ""
 "Request a renewable ticket with a total lifetime given by an integer "
 "immediately followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:280 sssd-krb5.5.xml:316
+#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
 msgid "<emphasis>s</emphasis> seconds"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
+#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
 msgid "<emphasis>m</emphasis> minutes"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
+#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
 msgid "<emphasis>h</emphasis> hours"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
+#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
 msgid "<emphasis>d</emphasis> days."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
+#: sssd-krb5.5.xml:295 sssd-krb5.5.xml:331
 msgid "If there is no delimiter <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:296
+#: sssd-krb5.5.xml:299
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "renewable lifetime to one and a half hours please use '90m' instead of "
@@ -4352,97 +4397,97 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:302
+#: sssd-krb5.5.xml:305
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:308
+#: sssd-krb5.5.xml:311
 msgid "krb5_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:311
+#: sssd-krb5.5.xml:314
 msgid ""
 "Request ticket with a with a lifetime given by an integer immediately "
 "followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:332
+#: sssd-krb5.5.xml:335
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "lifetime to one and a half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:337
+#: sssd-krb5.5.xml:340
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:344
+#: sssd-krb5.5.xml:347
 msgid "krb5_renew_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:347
+#: sssd-krb5.5.xml:350
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:352
+#: sssd-krb5.5.xml:355
 msgid "If this option is not set or 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:362
+#: sssd-krb5.5.xml:365
 msgid "krb5_use_fast (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:365
+#: sssd-krb5.5.xml:368
 msgid ""
 "Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
 "authentication. The following options are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:370
+#: sssd-krb5.5.xml:373
 msgid ""
 "<emphasis>never</emphasis> use FAST, this is equivalent to not set this "
 "option at all."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:374
+#: sssd-krb5.5.xml:377
 msgid ""
 "<emphasis>try</emphasis> to use FAST, if the server does not support fast "
 "continue without."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:378
+#: sssd-krb5.5.xml:381
 msgid ""
 "<emphasis>demand</emphasis> to use FAST, fail if the server does not require "
 "fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:382
+#: sssd-krb5.5.xml:385
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:385
+#: sssd-krb5.5.xml:388
 msgid "Please note that a keytab is required to use fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:388
+#: sssd-krb5.5.xml:391
 msgid ""
 "Please note also that sssd supports fast only with MIT Kerberos version 1.8 "
 "and above. If sssd used used with an older version using this option is a "
@@ -4460,7 +4505,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:407
+#: sssd-krb5.5.xml:410
 msgid ""
 "The following example assumes that SSSD is correctly configured and FOO is "
 "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
@@ -4469,7 +4514,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-krb5.5.xml:415
+#: sssd-krb5.5.xml:418
 #, no-wrap
 msgid ""
 "    [domain/FOO]\n"
@@ -4479,7 +4524,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:426
+#: sssd-krb5.5.xml:429
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
diff --git a/src/man/po/zh_CN.po b/src/man/po/zh_CN.po
index 11d4e0fa..5be9f35b 100644
--- a/src/man/po/zh_CN.po
+++ b/src/man/po/zh_CN.po
@@ -6,7 +6,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: SSSD\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2011-08-29 10:42-0300\n"
+"POT-Creation-Date: 2011-10-18 13:34-0300\n"
 "PO-Revision-Date: 2011-05-27 20:02+0000\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Chinese (China) (http://www.transifex.net/projects/p/fedora/"
@@ -53,7 +53,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:41
+#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:44
 #: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21
 #: sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_useradd.8.xml:30
 #: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30
@@ -69,7 +69,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:39 pam_sss.8.xml:48 sssd.8.xml:42 sss_obfuscate.8.xml:58
+#: sss_groupmod.8.xml:39 pam_sss.8.xml:51 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
 msgid "OPTIONS"
@@ -105,10 +105,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1106 sssd-ldap.5.xml:1432
-#: pam_sss.8.xml:128 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
+#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1130 sssd-ldap.5.xml:1432
+#: pam_sss.8.xml:139 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
 #: sssd-ipa.5.xml:248 sssd.8.xml:166 sss_obfuscate.8.xml:103
-#: sss_useradd.8.xml:167 sssd-krb5.5.xml:424 sss_groupadd.8.xml:58
+#: sss_useradd.8.xml:167 sssd-krb5.5.xml:427 sss_groupadd.8.xml:58
 #: sss_userdel.8.xml:93 sss_groupdel.8.xml:46 sss_groupshow.8.xml:58
 #: sss_usermod.8.xml:138
 msgid "SEE ALSO"
@@ -214,7 +214,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:70 sssd.conf.5.xml:952
+#: sssd.conf.5.xml:70 sssd.conf.5.xml:976
 msgid "Section parameters"
 msgstr ""
 
@@ -247,19 +247,19 @@ msgid "Supported services: nss, pam"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:93 sssd.conf.5.xml:234
+#: sssd.conf.5.xml:93 sssd.conf.5.xml:254
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:96 sssd.conf.5.xml:237
+#: sssd.conf.5.xml:96 sssd.conf.5.xml:257
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:101 sssd.conf.5.xml:242
+#: sssd.conf.5.xml:101 sssd.conf.5.xml:262
 msgid "Default: 3"
 msgstr ""
 
@@ -366,6 +366,32 @@ msgid ""
 "unavailable. On these platforms, polling will always be used."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:189
+msgid "krb5_rcache_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:192
+msgid ""
+"Directory on the filesystem where SSSD should store Kerberos replay cache "
+"files."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:196
+msgid ""
+"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
+"SSSD to let libkrb5 decide the appropriate location for the replay cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:202
+msgid ""
+"Default: Distribution-specific and specified at build-time. "
+"(__LIBKRB5_DEFAULTS__ if not configured)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:63
 msgid ""
@@ -378,12 +404,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:195
+#: sssd.conf.5.xml:215
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:197
+#: sssd.conf.5.xml:217
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -392,55 +418,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:204
+#: sssd.conf.5.xml:224
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:206
+#: sssd.conf.5.xml:226
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:210
+#: sssd.conf.5.xml:230
 msgid "debug_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:213
+#: sssd.conf.5.xml:233
 msgid ""
 "Sets the debug level for the service. The value can be in range from 0 (only "
 "critical messages) to 10 (very verbose)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:218 sssd.conf.5.xml:312
+#: sssd.conf.5.xml:238 sssd.conf.5.xml:332
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:223 sssd.8.xml:58
+#: sssd.conf.5.xml:243 sssd.8.xml:58
 msgid "debug_timestamps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:226 sssd.8.xml:61
+#: sssd.conf.5.xml:246 sssd.8.xml:61
 msgid "Add a timestamp to the debug messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:229 sssd.conf.5.xml:353 sssd-ldap.5.xml:1058
+#: sssd.conf.5.xml:249 sssd.conf.5.xml:373 sssd-ldap.5.xml:1058
 #: sssd-ldap.5.xml:1163 sssd-ipa.5.xml:155
 msgid "Default: true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:247
+#: sssd.conf.5.xml:267
 msgid "command (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:250
+#: sssd.conf.5.xml:270
 msgid ""
 "By default, the executable representing this service is called <command>sssd_"
 "${service_name}</command>.  This directive allows to change the executable "
@@ -449,45 +475,45 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:258
+#: sssd.conf.5.xml:278
 msgid "Default: <command>sssd_${service_name}</command>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:266
+#: sssd.conf.5.xml:286
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:268
+#: sssd.conf.5.xml:288
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:273
+#: sssd.conf.5.xml:293
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:276
+#: sssd.conf.5.xml:296
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:280
+#: sssd.conf.5.xml:300
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:285
+#: sssd.conf.5.xml:305
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:288
+#: sssd.conf.5.xml:308
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -495,7 +521,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:294
+#: sssd.conf.5.xml:314
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -505,7 +531,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304
+#: sssd.conf.5.xml:324
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -514,12 +540,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:317
+#: sssd.conf.5.xml:337
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:320
+#: sssd.conf.5.xml:340
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -527,17 +553,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:326 sssd-krb5.5.xml:223
+#: sssd.conf.5.xml:346 sssd-krb5.5.xml:223
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:331
+#: sssd.conf.5.xml:351
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:334
+#: sssd.conf.5.xml:354
 msgid ""
 "Exclude certain users from being fetched from the sss NSS database. This is "
 "particularly useful for system accounts. This option can also be set per-"
@@ -546,78 +572,78 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:341
+#: sssd.conf.5.xml:361
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:346
+#: sssd.conf.5.xml:366
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:369
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:358
+#: sssd.conf.5.xml:378
 msgid "override_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:367 sssd-krb5.5.xml:166
+#: sssd.conf.5.xml:387 sssd-krb5.5.xml:166
 msgid "%u"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:368 sssd-krb5.5.xml:167
+#: sssd.conf.5.xml:388 sssd-krb5.5.xml:167
 msgid "login name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:371 sssd-krb5.5.xml:170
+#: sssd.conf.5.xml:391 sssd-krb5.5.xml:170
 msgid "%U"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:392
 msgid "UID number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:375 sssd-krb5.5.xml:188
+#: sssd.conf.5.xml:395 sssd-krb5.5.xml:188
 msgid "%d"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:376
+#: sssd.conf.5.xml:396
 msgid "domain name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:379
+#: sssd.conf.5.xml:399
 msgid "%f"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:380
+#: sssd.conf.5.xml:400
 msgid "fully qualified user name (user@domain)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:383 sssd-krb5.5.xml:200
+#: sssd.conf.5.xml:403 sssd-krb5.5.xml:200
 msgid "%%"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:384 sssd-krb5.5.xml:201
+#: sssd.conf.5.xml:404 sssd-krb5.5.xml:201
 msgid "a literal '%'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:361
+#: sssd.conf.5.xml:381
 msgid ""
 "Override the user's home directory. You can either provide an absolute value "
 "or a template. In the template, the following sequences are substituted: "
@@ -625,138 +651,138 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:390
+#: sssd.conf.5.xml:410
 msgid "This option can also be set per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:395
+#: sssd.conf.5.xml:415
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:398
+#: sssd.conf.5.xml:418
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:401
+#: sssd.conf.5.xml:421
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:405
+#: sssd.conf.5.xml:425
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:410
+#: sssd.conf.5.xml:430
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:415
+#: sssd.conf.5.xml:435
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:418
+#: sssd.conf.5.xml:438
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:422
+#: sssd.conf.5.xml:442
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:427
+#: sssd.conf.5.xml:447
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:430
+#: sssd.conf.5.xml:450
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:435
+#: sssd.conf.5.xml:455
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:438
+#: sssd.conf.5.xml:458
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:442
+#: sssd.conf.5.xml:462
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:469
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:451
+#: sssd.conf.5.xml:471
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:456
+#: sssd.conf.5.xml:476
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:459
+#: sssd.conf.5.xml:479
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:464 sssd.conf.5.xml:477
+#: sssd.conf.5.xml:484 sssd.conf.5.xml:497
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:490
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:473
+#: sssd.conf.5.xml:493
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:483
+#: sssd.conf.5.xml:503
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:506
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:491
+#: sssd.conf.5.xml:511
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -764,59 +790,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:497 sssd.conf.5.xml:550 sssd.conf.5.xml:882
+#: sssd.conf.5.xml:517 sssd.conf.5.xml:570 sssd.conf.5.xml:906
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:523
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:506
+#: sssd.conf.5.xml:526
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:511
+#: sssd.conf.5.xml:531
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:514
+#: sssd.conf.5.xml:534
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:517
+#: sssd.conf.5.xml:537
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:541
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:524
+#: sssd.conf.5.xml:544
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:528
+#: sssd.conf.5.xml:548
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:533
+#: sssd.conf.5.xml:553
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:536
+#: sssd.conf.5.xml:556
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -824,7 +850,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:542
+#: sssd.conf.5.xml:562
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -833,17 +859,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:556
+#: sssd.conf.5.xml:576
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:559
+#: sssd.conf.5.xml:579
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:562
+#: sssd.conf.5.xml:582
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -851,29 +877,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:588
 msgid "Default: 7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:577
+#: sssd.conf.5.xml:597
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:584
+#: sssd.conf.5.xml:604
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:587
+#: sssd.conf.5.xml:607
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:592
+#: sssd.conf.5.xml:612
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -882,56 +908,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:599
+#: sssd.conf.5.xml:619
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:625
 msgid "timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:608
+#: sssd.conf.5.xml:628
 msgid ""
 "Timeout in seconds between heartbeats for this domain.  This is used to "
 "ensure that the backend process is alive and capable of answering requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:633
 msgid "Default: 10"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:639
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:642
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:626
+#: sssd.conf.5.xml:646
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:629
+#: sssd.conf.5.xml:649
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:632 sssd.conf.5.xml:680 sssd.conf.5.xml:734
+#: sssd.conf.5.xml:652 sssd.conf.5.xml:704 sssd.conf.5.xml:758
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:635
+#: sssd.conf.5.xml:655
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -941,14 +967,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:645
+#: sssd.conf.5.xml:665
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:650
+#: sssd.conf.5.xml:670
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -957,39 +983,44 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:661
+#: sssd.conf.5.xml:681
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:664
+#: sssd.conf.5.xml:684
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:688
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:693
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676
+#: sssd.conf.5.xml:696
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:700
+msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:685
+#: sssd.conf.5.xml:709
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:688
+#: sssd.conf.5.xml:712
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -998,47 +1029,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:695
+#: sssd.conf.5.xml:719
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:725
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:728
 msgid "The Data Provider identity backend to use for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:708
+#: sssd.conf.5.xml:732
 msgid "Supported backends:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:711
+#: sssd.conf.5.xml:735
 msgid "proxy: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:714
+#: sssd.conf.5.xml:738
 msgid "local: SSSD internal local provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:717
+#: sssd.conf.5.xml:741
 msgid "ldap: LDAP provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:747
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:750
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -1047,19 +1078,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:739
+#: sssd.conf.5.xml:763
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:766
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:746
+#: sssd.conf.5.xml:770
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1067,7 +1098,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:777
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1075,30 +1106,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:784
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:787
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:766
+#: sssd.conf.5.xml:790
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:796
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:775
+#: sssd.conf.5.xml:799
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -1106,17 +1137,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:781
+#: sssd.conf.5.xml:805
 msgid "<quote>permit</quote> always allow access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:784
+#: sssd.conf.5.xml:808
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:811
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -1125,24 +1156,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:818
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:823
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:826
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:831
 msgid ""
 "<quote>ipa</quote> to change a password stored in an IPA server.  See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -1150,7 +1181,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:815
+#: sssd.conf.5.xml:839
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -1158,7 +1189,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:823
+#: sssd.conf.5.xml:847
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1166,72 +1197,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:831
+#: sssd.conf.5.xml:855
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:835
+#: sssd.conf.5.xml:859
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838
+#: sssd.conf.5.xml:862
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:845
+#: sssd.conf.5.xml:869
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:848
+#: sssd.conf.5.xml:872
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:876
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:855
+#: sssd.conf.5.xml:879
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:858
+#: sssd.conf.5.xml:882
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:861
+#: sssd.conf.5.xml:885
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:864
+#: sssd.conf.5.xml:888
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:867
+#: sssd.conf.5.xml:891
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:873
+#: sssd.conf.5.xml:897
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:876
+#: sssd.conf.5.xml:900
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -1239,34 +1270,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:912
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:891
+#: sssd.conf.5.xml:915
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:919
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:901
+#: sssd.conf.5.xml:925
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:904
+#: sssd.conf.5.xml:928
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:579
+#: sssd.conf.5.xml:599
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -1274,29 +1305,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:940
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:943
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:922
+#: sssd.conf.5.xml:946
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:954
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:933
+#: sssd.conf.5.xml:957
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -1304,19 +1335,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:912
+#: sssd.conf.5.xml:936
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:945
+#: sssd.conf.5.xml:969
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:971
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -1324,73 +1355,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:954
+#: sssd.conf.5.xml:978
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:981
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:985
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:966
+#: sssd.conf.5.xml:990
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:969
+#: sssd.conf.5.xml:993
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974
+#: sssd.conf.5.xml:998
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1003
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1006
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986 sssd.conf.5.xml:998
+#: sssd.conf.5.xml:1010 sssd.conf.5.xml:1022
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:991
+#: sssd.conf.5.xml:1015
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:994
+#: sssd.conf.5.xml:1018
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1003
+#: sssd.conf.5.xml:1027
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1030
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -1398,17 +1429,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014
+#: sssd.conf.5.xml:1038
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1043
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1022
+#: sssd.conf.5.xml:1046
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -1417,17 +1448,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:1056
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1037
+#: sssd.conf.5.xml:1061
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1040
+#: sssd.conf.5.xml:1064
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -1435,17 +1466,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1047
+#: sssd.conf.5.xml:1071
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1076
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1055
+#: sssd.conf.5.xml:1079
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -1453,18 +1484,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1061
+#: sssd.conf.5.xml:1085
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1071 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
-#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:405
+#: sssd.conf.5.xml:1095 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
+#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:408
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:1077
+#: sssd.conf.5.xml:1101
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -1494,7 +1525,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1073
+#: sssd.conf.5.xml:1097
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -1503,7 +1534,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1108
+#: sssd.conf.5.xml:1132
 msgid ""
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
@@ -1603,10 +1634,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:88
 msgid ""
-"Specifies the list of URIs of the LDAP servers to which SSSD should connect "
-"in the order of preference to change the password of a user. Refer to the "
-"<quote>FAILOVER</quote> section for more information on failover and server "
-"redundancy."
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference to change the password of a user. "
+"Refer to the <quote>FAILOVER</quote> section for more information on "
+"failover and server redundancy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -2086,7 +2117,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:519 sssd-ldap.5.xml:990 sssd-ipa.5.xml:115 sssd.8.xml:64
-#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:266
+#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:269
 msgid "Default: false"
 msgstr ""
 
@@ -2527,7 +2558,7 @@ msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:356
+#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:359
 msgid "Default: not set"
 msgstr ""
 
@@ -2668,12 +2699,13 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:1080 sssd-krb5.5.xml:77
 msgid ""
-"Specifies the list of IP addresses or hostnames of the Kerberos servers to "
-"which SSSD should connect in the order of preference. For more information "
-"on failover and server redundancy, see the <quote>FAILOVER</quote> section. "
-"An optional port number (preceded by a colon) may be appended to the "
-"addresses or hostnames.  If empty, service discovery is enabled - for more "
-"information, refer to the <quote>SERVICE DISCOVERY</quote> section."
+"Specifies the comma-separated list of IP addresses or hostnames of the "
+"Kerberos servers to which SSSD should connect in the order of preference. "
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
+"colon) may be appended to the addresses or hostnames.  If empty, service "
+"discovery is enabled - for more information, refer to the <quote>SERVICE "
+"DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -3058,7 +3090,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ldap.5.xml:1407 sssd-simple.5.xml:134 sssd-ipa.5.xml:238
-#: sssd-krb5.5.xml:414
+#: sssd-krb5.5.xml:417
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -3105,7 +3137,8 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
 #: pam_sss.8.xml:24
 msgid ""
-"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>forward_pass</"
+"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
@@ -3113,7 +3146,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:42
+#: pam_sss.8.xml:45
 msgid ""
 "<command>pam_sss.so</command> is the PAM interface to the System Security "
 "Services daemon (SSSD). Errors and results are logged through <command>syslog"
@@ -3121,24 +3154,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:52
+#: pam_sss.8.xml:55
+msgid "<option>quiet</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:58
+msgid "Suppress log messages for unknown users."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:63
 msgid "<option>forward_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:55
+#: pam_sss.8.xml:66
 msgid ""
 "If <option>forward_pass</option> is set the entered password is put on the "
 "stack for other PAM modules to use."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:62
+#: pam_sss.8.xml:73
 msgid "<option>use_first_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:65
+#: pam_sss.8.xml:76
 msgid ""
 "The argument use_first_pass forces the module to use a previous stacked "
 "modules password and will never prompt the user - if no password is "
@@ -3146,31 +3189,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:73
+#: pam_sss.8.xml:84
 msgid "<option>use_authtok</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:76
+#: pam_sss.8.xml:87
 msgid ""
 "When password changing enforce the module to set the new password to the one "
 "provided by a previously stacked password module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:83
+#: pam_sss.8.xml:94
 msgid "<option>retry=N</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:86
+#: pam_sss.8.xml:97
 msgid ""
 "If specified the user is asked another N times for a password if "
 "authentication fails. Default is 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:88
+#: pam_sss.8.xml:99
 msgid ""
 "Please note that this option might not work as expected if the application "
 "calling PAM handles the user dialog on its own. A typical example is "
@@ -3178,24 +3221,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:99
+#: pam_sss.8.xml:110
 msgid "MODULE TYPES PROVIDED"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:100
+#: pam_sss.8.xml:111
 msgid ""
 "All module types (<option>account</option>, <option>auth</option>, "
 "<option>password</option> and <option>session</option>) are provided."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:106
+#: pam_sss.8.xml:117
 msgid "FILES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:107
+#: pam_sss.8.xml:118
 msgid ""
 "If a password reset by root fails, because the corresponding SSSD provider "
 "does not support password resets, an individual message can be displayed. "
@@ -3203,7 +3246,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:112
+#: pam_sss.8.xml:123
 msgid ""
 "The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
 "filename> where LOC stands for a locale string returned by <citerefentry> "
@@ -3215,7 +3258,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:122
+#: pam_sss.8.xml:133
 msgid ""
 "These files are searched in the directory <filename>/etc/sssd/customize/"
 "DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
@@ -3223,7 +3266,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:130
+#: pam_sss.8.xml:141
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>8</"
 "manvolnum> </citerefentry>"
@@ -3483,11 +3526,11 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ipa.5.xml:83
 msgid ""
-"The list of IP addresses or hostnames of the IPA servers to which SSSD "
-"should connect in the order of preference. For more information on failover "
-"and server redundancy, see the <quote>FAILOVER</quote> section.  This is "
-"optional if autodiscovery is enabled.  For more information on service "
-"discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
+"The comma-separated list of IP addresses or hostnames of the IPA servers to "
+"which SSSD should connect in the order of preference. For more information "
+"on failover and server redundancy, see the <quote>FAILOVER</quote> section.  "
+"This is optional if autodiscovery is enabled.  For more information on "
+"service discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
@@ -4303,48 +4346,50 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:262
 msgid ""
-"Please note that this feature currently only available on a Linux platform."
+"Please note that this feature currently only available on a Linux platform. "
+"Passwords stored in this way are kept in plaintext in the kernel keyring and "
+"are potentially accessible by the root user (with difficulty)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:272
+#: sssd-krb5.5.xml:275
 msgid "krb5_renewable_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:275
+#: sssd-krb5.5.xml:278
 msgid ""
 "Request a renewable ticket with a total lifetime given by an integer "
 "immediately followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:280 sssd-krb5.5.xml:316
+#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
 msgid "<emphasis>s</emphasis> seconds"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
+#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
 msgid "<emphasis>m</emphasis> minutes"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
+#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
 msgid "<emphasis>h</emphasis> hours"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
+#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
 msgid "<emphasis>d</emphasis> days."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
+#: sssd-krb5.5.xml:295 sssd-krb5.5.xml:331
 msgid "If there is no delimiter <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:296
+#: sssd-krb5.5.xml:299
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "renewable lifetime to one and a half hours please use '90m' instead of "
@@ -4352,97 +4397,97 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:302
+#: sssd-krb5.5.xml:305
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:308
+#: sssd-krb5.5.xml:311
 msgid "krb5_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:311
+#: sssd-krb5.5.xml:314
 msgid ""
 "Request ticket with a with a lifetime given by an integer immediately "
 "followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:332
+#: sssd-krb5.5.xml:335
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "lifetime to one and a half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:337
+#: sssd-krb5.5.xml:340
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:344
+#: sssd-krb5.5.xml:347
 msgid "krb5_renew_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:347
+#: sssd-krb5.5.xml:350
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:352
+#: sssd-krb5.5.xml:355
 msgid "If this option is not set or 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:362
+#: sssd-krb5.5.xml:365
 msgid "krb5_use_fast (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:365
+#: sssd-krb5.5.xml:368
 msgid ""
 "Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
 "authentication. The following options are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:370
+#: sssd-krb5.5.xml:373
 msgid ""
 "<emphasis>never</emphasis> use FAST, this is equivalent to not set this "
 "option at all."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:374
+#: sssd-krb5.5.xml:377
 msgid ""
 "<emphasis>try</emphasis> to use FAST, if the server does not support fast "
 "continue without."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:378
+#: sssd-krb5.5.xml:381
 msgid ""
 "<emphasis>demand</emphasis> to use FAST, fail if the server does not require "
 "fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:382
+#: sssd-krb5.5.xml:385
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:385
+#: sssd-krb5.5.xml:388
 msgid "Please note that a keytab is required to use fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:388
+#: sssd-krb5.5.xml:391
 msgid ""
 "Please note also that sssd supports fast only with MIT Kerberos version 1.8 "
 "and above. If sssd used used with an older version using this option is a "
@@ -4460,7 +4505,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:407
+#: sssd-krb5.5.xml:410
 msgid ""
 "The following example assumes that SSSD is correctly configured and FOO is "
 "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
@@ -4469,7 +4514,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-krb5.5.xml:415
+#: sssd-krb5.5.xml:418
 #, no-wrap
 msgid ""
 "    [domain/FOO]\n"
@@ -4479,7 +4524,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:426
+#: sssd-krb5.5.xml:429
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
diff --git a/src/man/po/zh_HK.po b/src/man/po/zh_HK.po
index 668f8d9f..15e58b83 100644
--- a/src/man/po/zh_HK.po
+++ b/src/man/po/zh_HK.po
@@ -2,12 +2,13 @@
 # Copyright (C) YEAR Red Hat
 # This file is distributed under the same license as the sssd-docs package.
 #
+# Translators:
 msgid ""
 msgstr ""
 "Project-Id-Version: SSSD\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2011-08-29 10:42-0300\n"
-"PO-Revision-Date: 2011-08-05 11:39+0000\n"
+"POT-Creation-Date: 2011-10-18 13:34-0300\n"
+"PO-Revision-Date: 2010-12-23 15:35+0000\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Chinese (Hong Kong) <chinese@lists.fedoraproject.org>\n"
 "Language: zh_HK\n"
@@ -52,7 +53,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:41
+#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:44
 #: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21
 #: sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_useradd.8.xml:30
 #: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30
@@ -68,7 +69,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:39 pam_sss.8.xml:48 sssd.8.xml:42 sss_obfuscate.8.xml:58
+#: sss_groupmod.8.xml:39 pam_sss.8.xml:51 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
 msgid "OPTIONS"
@@ -104,10 +105,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1106 sssd-ldap.5.xml:1432
-#: pam_sss.8.xml:128 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
+#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1130 sssd-ldap.5.xml:1432
+#: pam_sss.8.xml:139 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
 #: sssd-ipa.5.xml:248 sssd.8.xml:166 sss_obfuscate.8.xml:103
-#: sss_useradd.8.xml:167 sssd-krb5.5.xml:424 sss_groupadd.8.xml:58
+#: sss_useradd.8.xml:167 sssd-krb5.5.xml:427 sss_groupadd.8.xml:58
 #: sss_userdel.8.xml:93 sss_groupdel.8.xml:46 sss_groupshow.8.xml:58
 #: sss_usermod.8.xml:138
 msgid "SEE ALSO"
@@ -213,7 +214,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:70 sssd.conf.5.xml:952
+#: sssd.conf.5.xml:70 sssd.conf.5.xml:976
 msgid "Section parameters"
 msgstr ""
 
@@ -246,19 +247,19 @@ msgid "Supported services: nss, pam"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:93 sssd.conf.5.xml:234
+#: sssd.conf.5.xml:93 sssd.conf.5.xml:254
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:96 sssd.conf.5.xml:237
+#: sssd.conf.5.xml:96 sssd.conf.5.xml:257
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:101 sssd.conf.5.xml:242
+#: sssd.conf.5.xml:101 sssd.conf.5.xml:262
 msgid "Default: 3"
 msgstr ""
 
@@ -365,6 +366,32 @@ msgid ""
 "unavailable. On these platforms, polling will always be used."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:189
+msgid "krb5_rcache_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:192
+msgid ""
+"Directory on the filesystem where SSSD should store Kerberos replay cache "
+"files."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:196
+msgid ""
+"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
+"SSSD to let libkrb5 decide the appropriate location for the replay cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:202
+msgid ""
+"Default: Distribution-specific and specified at build-time. "
+"(__LIBKRB5_DEFAULTS__ if not configured)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:63
 msgid ""
@@ -377,12 +404,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:195
+#: sssd.conf.5.xml:215
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:197
+#: sssd.conf.5.xml:217
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -391,55 +418,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:204
+#: sssd.conf.5.xml:224
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:206
+#: sssd.conf.5.xml:226
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:210
+#: sssd.conf.5.xml:230
 msgid "debug_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:213
+#: sssd.conf.5.xml:233
 msgid ""
 "Sets the debug level for the service. The value can be in range from 0 (only "
 "critical messages) to 10 (very verbose)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:218 sssd.conf.5.xml:312
+#: sssd.conf.5.xml:238 sssd.conf.5.xml:332
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:223 sssd.8.xml:58
+#: sssd.conf.5.xml:243 sssd.8.xml:58
 msgid "debug_timestamps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:226 sssd.8.xml:61
+#: sssd.conf.5.xml:246 sssd.8.xml:61
 msgid "Add a timestamp to the debug messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:229 sssd.conf.5.xml:353 sssd-ldap.5.xml:1058
+#: sssd.conf.5.xml:249 sssd.conf.5.xml:373 sssd-ldap.5.xml:1058
 #: sssd-ldap.5.xml:1163 sssd-ipa.5.xml:155
 msgid "Default: true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:247
+#: sssd.conf.5.xml:267
 msgid "command (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:250
+#: sssd.conf.5.xml:270
 msgid ""
 "By default, the executable representing this service is called <command>sssd_"
 "${service_name}</command>.  This directive allows to change the executable "
@@ -448,45 +475,45 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:258
+#: sssd.conf.5.xml:278
 msgid "Default: <command>sssd_${service_name}</command>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:266
+#: sssd.conf.5.xml:286
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:268
+#: sssd.conf.5.xml:288
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:273
+#: sssd.conf.5.xml:293
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:276
+#: sssd.conf.5.xml:296
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:280
+#: sssd.conf.5.xml:300
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:285
+#: sssd.conf.5.xml:305
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:288
+#: sssd.conf.5.xml:308
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -494,7 +521,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:294
+#: sssd.conf.5.xml:314
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -504,7 +531,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304
+#: sssd.conf.5.xml:324
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -513,12 +540,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:317
+#: sssd.conf.5.xml:337
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:320
+#: sssd.conf.5.xml:340
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -526,17 +553,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:326 sssd-krb5.5.xml:223
+#: sssd.conf.5.xml:346 sssd-krb5.5.xml:223
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:331
+#: sssd.conf.5.xml:351
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:334
+#: sssd.conf.5.xml:354
 msgid ""
 "Exclude certain users from being fetched from the sss NSS database. This is "
 "particularly useful for system accounts. This option can also be set per-"
@@ -545,78 +572,78 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:341
+#: sssd.conf.5.xml:361
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:346
+#: sssd.conf.5.xml:366
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:369
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:358
+#: sssd.conf.5.xml:378
 msgid "override_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:367 sssd-krb5.5.xml:166
+#: sssd.conf.5.xml:387 sssd-krb5.5.xml:166
 msgid "%u"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:368 sssd-krb5.5.xml:167
+#: sssd.conf.5.xml:388 sssd-krb5.5.xml:167
 msgid "login name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:371 sssd-krb5.5.xml:170
+#: sssd.conf.5.xml:391 sssd-krb5.5.xml:170
 msgid "%U"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:392
 msgid "UID number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:375 sssd-krb5.5.xml:188
+#: sssd.conf.5.xml:395 sssd-krb5.5.xml:188
 msgid "%d"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:376
+#: sssd.conf.5.xml:396
 msgid "domain name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:379
+#: sssd.conf.5.xml:399
 msgid "%f"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:380
+#: sssd.conf.5.xml:400
 msgid "fully qualified user name (user@domain)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:383 sssd-krb5.5.xml:200
+#: sssd.conf.5.xml:403 sssd-krb5.5.xml:200
 msgid "%%"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:384 sssd-krb5.5.xml:201
+#: sssd.conf.5.xml:404 sssd-krb5.5.xml:201
 msgid "a literal '%'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:361
+#: sssd.conf.5.xml:381
 msgid ""
 "Override the user's home directory. You can either provide an absolute value "
 "or a template. In the template, the following sequences are substituted: "
@@ -624,138 +651,138 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:390
+#: sssd.conf.5.xml:410
 msgid "This option can also be set per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:395
+#: sssd.conf.5.xml:415
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:398
+#: sssd.conf.5.xml:418
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:401
+#: sssd.conf.5.xml:421
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:405
+#: sssd.conf.5.xml:425
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:410
+#: sssd.conf.5.xml:430
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:415
+#: sssd.conf.5.xml:435
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:418
+#: sssd.conf.5.xml:438
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:422
+#: sssd.conf.5.xml:442
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:427
+#: sssd.conf.5.xml:447
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:430
+#: sssd.conf.5.xml:450
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:435
+#: sssd.conf.5.xml:455
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:438
+#: sssd.conf.5.xml:458
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:442
+#: sssd.conf.5.xml:462
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:469
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:451
+#: sssd.conf.5.xml:471
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:456
+#: sssd.conf.5.xml:476
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:459
+#: sssd.conf.5.xml:479
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:464 sssd.conf.5.xml:477
+#: sssd.conf.5.xml:484 sssd.conf.5.xml:497
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:490
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:473
+#: sssd.conf.5.xml:493
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:483
+#: sssd.conf.5.xml:503
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:506
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:491
+#: sssd.conf.5.xml:511
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -763,59 +790,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:497 sssd.conf.5.xml:550 sssd.conf.5.xml:882
+#: sssd.conf.5.xml:517 sssd.conf.5.xml:570 sssd.conf.5.xml:906
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:523
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:506
+#: sssd.conf.5.xml:526
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:511
+#: sssd.conf.5.xml:531
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:514
+#: sssd.conf.5.xml:534
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:517
+#: sssd.conf.5.xml:537
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:541
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:524
+#: sssd.conf.5.xml:544
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:528
+#: sssd.conf.5.xml:548
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:533
+#: sssd.conf.5.xml:553
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:536
+#: sssd.conf.5.xml:556
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -823,7 +850,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:542
+#: sssd.conf.5.xml:562
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -832,17 +859,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:556
+#: sssd.conf.5.xml:576
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:559
+#: sssd.conf.5.xml:579
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:562
+#: sssd.conf.5.xml:582
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -850,29 +877,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:588
 msgid "Default: 7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:577
+#: sssd.conf.5.xml:597
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:584
+#: sssd.conf.5.xml:604
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:587
+#: sssd.conf.5.xml:607
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:592
+#: sssd.conf.5.xml:612
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -881,56 +908,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:599
+#: sssd.conf.5.xml:619
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:625
 msgid "timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:608
+#: sssd.conf.5.xml:628
 msgid ""
 "Timeout in seconds between heartbeats for this domain.  This is used to "
 "ensure that the backend process is alive and capable of answering requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:633
 msgid "Default: 10"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:639
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:642
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:626
+#: sssd.conf.5.xml:646
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:629
+#: sssd.conf.5.xml:649
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:632 sssd.conf.5.xml:680 sssd.conf.5.xml:734
+#: sssd.conf.5.xml:652 sssd.conf.5.xml:704 sssd.conf.5.xml:758
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:635
+#: sssd.conf.5.xml:655
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -940,14 +967,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:645
+#: sssd.conf.5.xml:665
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:650
+#: sssd.conf.5.xml:670
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -956,39 +983,44 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:661
+#: sssd.conf.5.xml:681
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:664
+#: sssd.conf.5.xml:684
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:688
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:693
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676
+#: sssd.conf.5.xml:696
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:700
+msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:685
+#: sssd.conf.5.xml:709
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:688
+#: sssd.conf.5.xml:712
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -997,47 +1029,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:695
+#: sssd.conf.5.xml:719
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:725
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:728
 msgid "The Data Provider identity backend to use for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:708
+#: sssd.conf.5.xml:732
 msgid "Supported backends:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:711
+#: sssd.conf.5.xml:735
 msgid "proxy: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:714
+#: sssd.conf.5.xml:738
 msgid "local: SSSD internal local provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:717
+#: sssd.conf.5.xml:741
 msgid "ldap: LDAP provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:747
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:750
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -1046,19 +1078,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:739
+#: sssd.conf.5.xml:763
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:766
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:746
+#: sssd.conf.5.xml:770
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1066,7 +1098,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:777
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1074,30 +1106,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:784
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:787
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:766
+#: sssd.conf.5.xml:790
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:796
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:775
+#: sssd.conf.5.xml:799
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -1105,17 +1137,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:781
+#: sssd.conf.5.xml:805
 msgid "<quote>permit</quote> always allow access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:784
+#: sssd.conf.5.xml:808
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:811
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -1124,24 +1156,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:818
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:823
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:826
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:831
 msgid ""
 "<quote>ipa</quote> to change a password stored in an IPA server.  See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -1149,7 +1181,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:815
+#: sssd.conf.5.xml:839
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -1157,7 +1189,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:823
+#: sssd.conf.5.xml:847
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1165,72 +1197,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:831
+#: sssd.conf.5.xml:855
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:835
+#: sssd.conf.5.xml:859
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838
+#: sssd.conf.5.xml:862
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:845
+#: sssd.conf.5.xml:869
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:848
+#: sssd.conf.5.xml:872
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:876
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:855
+#: sssd.conf.5.xml:879
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:858
+#: sssd.conf.5.xml:882
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:861
+#: sssd.conf.5.xml:885
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:864
+#: sssd.conf.5.xml:888
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:867
+#: sssd.conf.5.xml:891
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:873
+#: sssd.conf.5.xml:897
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:876
+#: sssd.conf.5.xml:900
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -1238,34 +1270,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:912
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:891
+#: sssd.conf.5.xml:915
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:919
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:901
+#: sssd.conf.5.xml:925
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:904
+#: sssd.conf.5.xml:928
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:579
+#: sssd.conf.5.xml:599
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -1273,29 +1305,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:940
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:943
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:922
+#: sssd.conf.5.xml:946
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:954
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:933
+#: sssd.conf.5.xml:957
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -1303,19 +1335,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:912
+#: sssd.conf.5.xml:936
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:945
+#: sssd.conf.5.xml:969
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:971
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -1323,73 +1355,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:954
+#: sssd.conf.5.xml:978
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:981
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:985
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:966
+#: sssd.conf.5.xml:990
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:969
+#: sssd.conf.5.xml:993
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974
+#: sssd.conf.5.xml:998
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1003
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1006
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986 sssd.conf.5.xml:998
+#: sssd.conf.5.xml:1010 sssd.conf.5.xml:1022
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:991
+#: sssd.conf.5.xml:1015
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:994
+#: sssd.conf.5.xml:1018
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1003
+#: sssd.conf.5.xml:1027
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1030
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -1397,17 +1429,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014
+#: sssd.conf.5.xml:1038
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1043
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1022
+#: sssd.conf.5.xml:1046
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -1416,17 +1448,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:1056
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1037
+#: sssd.conf.5.xml:1061
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1040
+#: sssd.conf.5.xml:1064
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -1434,17 +1466,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1047
+#: sssd.conf.5.xml:1071
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1076
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1055
+#: sssd.conf.5.xml:1079
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -1452,18 +1484,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1061
+#: sssd.conf.5.xml:1085
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1071 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
-#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:405
+#: sssd.conf.5.xml:1095 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
+#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:408
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:1077
+#: sssd.conf.5.xml:1101
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -1493,7 +1525,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1073
+#: sssd.conf.5.xml:1097
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -1502,7 +1534,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1108
+#: sssd.conf.5.xml:1132
 msgid ""
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
@@ -1602,10 +1634,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:88
 msgid ""
-"Specifies the list of URIs of the LDAP servers to which SSSD should connect "
-"in the order of preference to change the password of a user. Refer to the "
-"<quote>FAILOVER</quote> section for more information on failover and server "
-"redundancy."
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference to change the password of a user. "
+"Refer to the <quote>FAILOVER</quote> section for more information on "
+"failover and server redundancy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -2085,7 +2117,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:519 sssd-ldap.5.xml:990 sssd-ipa.5.xml:115 sssd.8.xml:64
-#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:266
+#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:269
 msgid "Default: false"
 msgstr ""
 
@@ -2526,7 +2558,7 @@ msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:356
+#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:359
 msgid "Default: not set"
 msgstr ""
 
@@ -2667,12 +2699,13 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:1080 sssd-krb5.5.xml:77
 msgid ""
-"Specifies the list of IP addresses or hostnames of the Kerberos servers to "
-"which SSSD should connect in the order of preference. For more information "
-"on failover and server redundancy, see the <quote>FAILOVER</quote> section. "
-"An optional port number (preceded by a colon) may be appended to the "
-"addresses or hostnames.  If empty, service discovery is enabled - for more "
-"information, refer to the <quote>SERVICE DISCOVERY</quote> section."
+"Specifies the comma-separated list of IP addresses or hostnames of the "
+"Kerberos servers to which SSSD should connect in the order of preference. "
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
+"colon) may be appended to the addresses or hostnames.  If empty, service "
+"discovery is enabled - for more information, refer to the <quote>SERVICE "
+"DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -3057,7 +3090,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ldap.5.xml:1407 sssd-simple.5.xml:134 sssd-ipa.5.xml:238
-#: sssd-krb5.5.xml:414
+#: sssd-krb5.5.xml:417
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -3104,7 +3137,8 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
 #: pam_sss.8.xml:24
 msgid ""
-"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>forward_pass</"
+"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
@@ -3112,7 +3146,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:42
+#: pam_sss.8.xml:45
 msgid ""
 "<command>pam_sss.so</command> is the PAM interface to the System Security "
 "Services daemon (SSSD). Errors and results are logged through <command>syslog"
@@ -3120,24 +3154,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:52
+#: pam_sss.8.xml:55
+msgid "<option>quiet</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:58
+msgid "Suppress log messages for unknown users."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:63
 msgid "<option>forward_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:55
+#: pam_sss.8.xml:66
 msgid ""
 "If <option>forward_pass</option> is set the entered password is put on the "
 "stack for other PAM modules to use."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:62
+#: pam_sss.8.xml:73
 msgid "<option>use_first_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:65
+#: pam_sss.8.xml:76
 msgid ""
 "The argument use_first_pass forces the module to use a previous stacked "
 "modules password and will never prompt the user - if no password is "
@@ -3145,31 +3189,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:73
+#: pam_sss.8.xml:84
 msgid "<option>use_authtok</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:76
+#: pam_sss.8.xml:87
 msgid ""
 "When password changing enforce the module to set the new password to the one "
 "provided by a previously stacked password module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:83
+#: pam_sss.8.xml:94
 msgid "<option>retry=N</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:86
+#: pam_sss.8.xml:97
 msgid ""
 "If specified the user is asked another N times for a password if "
 "authentication fails. Default is 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:88
+#: pam_sss.8.xml:99
 msgid ""
 "Please note that this option might not work as expected if the application "
 "calling PAM handles the user dialog on its own. A typical example is "
@@ -3177,24 +3221,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:99
+#: pam_sss.8.xml:110
 msgid "MODULE TYPES PROVIDED"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:100
+#: pam_sss.8.xml:111
 msgid ""
 "All module types (<option>account</option>, <option>auth</option>, "
 "<option>password</option> and <option>session</option>) are provided."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:106
+#: pam_sss.8.xml:117
 msgid "FILES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:107
+#: pam_sss.8.xml:118
 msgid ""
 "If a password reset by root fails, because the corresponding SSSD provider "
 "does not support password resets, an individual message can be displayed. "
@@ -3202,7 +3246,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:112
+#: pam_sss.8.xml:123
 msgid ""
 "The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
 "filename> where LOC stands for a locale string returned by <citerefentry> "
@@ -3214,7 +3258,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:122
+#: pam_sss.8.xml:133
 msgid ""
 "These files are searched in the directory <filename>/etc/sssd/customize/"
 "DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
@@ -3222,7 +3266,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:130
+#: pam_sss.8.xml:141
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>8</"
 "manvolnum> </citerefentry>"
@@ -3482,11 +3526,11 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ipa.5.xml:83
 msgid ""
-"The list of IP addresses or hostnames of the IPA servers to which SSSD "
-"should connect in the order of preference. For more information on failover "
-"and server redundancy, see the <quote>FAILOVER</quote> section.  This is "
-"optional if autodiscovery is enabled.  For more information on service "
-"discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
+"The comma-separated list of IP addresses or hostnames of the IPA servers to "
+"which SSSD should connect in the order of preference. For more information "
+"on failover and server redundancy, see the <quote>FAILOVER</quote> section.  "
+"This is optional if autodiscovery is enabled.  For more information on "
+"service discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
@@ -4302,48 +4346,50 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:262
 msgid ""
-"Please note that this feature currently only available on a Linux platform."
+"Please note that this feature currently only available on a Linux platform. "
+"Passwords stored in this way are kept in plaintext in the kernel keyring and "
+"are potentially accessible by the root user (with difficulty)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:272
+#: sssd-krb5.5.xml:275
 msgid "krb5_renewable_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:275
+#: sssd-krb5.5.xml:278
 msgid ""
 "Request a renewable ticket with a total lifetime given by an integer "
 "immediately followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:280 sssd-krb5.5.xml:316
+#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
 msgid "<emphasis>s</emphasis> seconds"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
+#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
 msgid "<emphasis>m</emphasis> minutes"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
+#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
 msgid "<emphasis>h</emphasis> hours"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
+#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
 msgid "<emphasis>d</emphasis> days."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
+#: sssd-krb5.5.xml:295 sssd-krb5.5.xml:331
 msgid "If there is no delimiter <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:296
+#: sssd-krb5.5.xml:299
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "renewable lifetime to one and a half hours please use '90m' instead of "
@@ -4351,97 +4397,97 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:302
+#: sssd-krb5.5.xml:305
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:308
+#: sssd-krb5.5.xml:311
 msgid "krb5_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:311
+#: sssd-krb5.5.xml:314
 msgid ""
 "Request ticket with a with a lifetime given by an integer immediately "
 "followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:332
+#: sssd-krb5.5.xml:335
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "lifetime to one and a half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:337
+#: sssd-krb5.5.xml:340
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:344
+#: sssd-krb5.5.xml:347
 msgid "krb5_renew_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:347
+#: sssd-krb5.5.xml:350
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:352
+#: sssd-krb5.5.xml:355
 msgid "If this option is not set or 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:362
+#: sssd-krb5.5.xml:365
 msgid "krb5_use_fast (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:365
+#: sssd-krb5.5.xml:368
 msgid ""
 "Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
 "authentication. The following options are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:370
+#: sssd-krb5.5.xml:373
 msgid ""
 "<emphasis>never</emphasis> use FAST, this is equivalent to not set this "
 "option at all."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:374
+#: sssd-krb5.5.xml:377
 msgid ""
 "<emphasis>try</emphasis> to use FAST, if the server does not support fast "
 "continue without."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:378
+#: sssd-krb5.5.xml:381
 msgid ""
 "<emphasis>demand</emphasis> to use FAST, fail if the server does not require "
 "fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:382
+#: sssd-krb5.5.xml:385
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:385
+#: sssd-krb5.5.xml:388
 msgid "Please note that a keytab is required to use fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:388
+#: sssd-krb5.5.xml:391
 msgid ""
 "Please note also that sssd supports fast only with MIT Kerberos version 1.8 "
 "and above. If sssd used used with an older version using this option is a "
@@ -4459,7 +4505,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:407
+#: sssd-krb5.5.xml:410
 msgid ""
 "The following example assumes that SSSD is correctly configured and FOO is "
 "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
@@ -4468,7 +4514,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-krb5.5.xml:415
+#: sssd-krb5.5.xml:418
 #, no-wrap
 msgid ""
 "    [domain/FOO]\n"
@@ -4478,7 +4524,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:426
+#: sssd-krb5.5.xml:429
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
diff --git a/src/man/po/zh_TW.po b/src/man/po/zh_TW.po
index a810764d..4104b32f 100644
--- a/src/man/po/zh_TW.po
+++ b/src/man/po/zh_TW.po
@@ -6,7 +6,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: SSSD\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2011-08-29 10:42-0300\n"
+"POT-Creation-Date: 2011-10-18 13:34-0300\n"
 "PO-Revision-Date: 2011-08-05 11:39+0000\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Chinese (Taiwan) <trans-zh_TW@lists.fedoraproject.org>\n"
@@ -52,7 +52,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:41
+#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:44
 #: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21
 #: sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_useradd.8.xml:30
 #: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30
@@ -68,7 +68,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:39 pam_sss.8.xml:48 sssd.8.xml:42 sss_obfuscate.8.xml:58
+#: sss_groupmod.8.xml:39 pam_sss.8.xml:51 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
 msgid "OPTIONS"
@@ -104,10 +104,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1106 sssd-ldap.5.xml:1432
-#: pam_sss.8.xml:128 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
+#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1130 sssd-ldap.5.xml:1432
+#: pam_sss.8.xml:139 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
 #: sssd-ipa.5.xml:248 sssd.8.xml:166 sss_obfuscate.8.xml:103
-#: sss_useradd.8.xml:167 sssd-krb5.5.xml:424 sss_groupadd.8.xml:58
+#: sss_useradd.8.xml:167 sssd-krb5.5.xml:427 sss_groupadd.8.xml:58
 #: sss_userdel.8.xml:93 sss_groupdel.8.xml:46 sss_groupshow.8.xml:58
 #: sss_usermod.8.xml:138
 msgid "SEE ALSO"
@@ -213,7 +213,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:70 sssd.conf.5.xml:952
+#: sssd.conf.5.xml:70 sssd.conf.5.xml:976
 msgid "Section parameters"
 msgstr ""
 
@@ -246,19 +246,19 @@ msgid "Supported services: nss, pam"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:93 sssd.conf.5.xml:234
+#: sssd.conf.5.xml:93 sssd.conf.5.xml:254
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:96 sssd.conf.5.xml:237
+#: sssd.conf.5.xml:96 sssd.conf.5.xml:257
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:101 sssd.conf.5.xml:242
+#: sssd.conf.5.xml:101 sssd.conf.5.xml:262
 msgid "Default: 3"
 msgstr ""
 
@@ -365,6 +365,32 @@ msgid ""
 "unavailable. On these platforms, polling will always be used."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:189
+msgid "krb5_rcache_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:192
+msgid ""
+"Directory on the filesystem where SSSD should store Kerberos replay cache "
+"files."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:196
+msgid ""
+"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
+"SSSD to let libkrb5 decide the appropriate location for the replay cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:202
+msgid ""
+"Default: Distribution-specific and specified at build-time. "
+"(__LIBKRB5_DEFAULTS__ if not configured)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:63
 msgid ""
@@ -377,12 +403,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:195
+#: sssd.conf.5.xml:215
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:197
+#: sssd.conf.5.xml:217
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -391,55 +417,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:204
+#: sssd.conf.5.xml:224
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:206
+#: sssd.conf.5.xml:226
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:210
+#: sssd.conf.5.xml:230
 msgid "debug_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:213
+#: sssd.conf.5.xml:233
 msgid ""
 "Sets the debug level for the service. The value can be in range from 0 (only "
 "critical messages) to 10 (very verbose)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:218 sssd.conf.5.xml:312
+#: sssd.conf.5.xml:238 sssd.conf.5.xml:332
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:223 sssd.8.xml:58
+#: sssd.conf.5.xml:243 sssd.8.xml:58
 msgid "debug_timestamps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:226 sssd.8.xml:61
+#: sssd.conf.5.xml:246 sssd.8.xml:61
 msgid "Add a timestamp to the debug messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:229 sssd.conf.5.xml:353 sssd-ldap.5.xml:1058
+#: sssd.conf.5.xml:249 sssd.conf.5.xml:373 sssd-ldap.5.xml:1058
 #: sssd-ldap.5.xml:1163 sssd-ipa.5.xml:155
 msgid "Default: true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:247
+#: sssd.conf.5.xml:267
 msgid "command (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:250
+#: sssd.conf.5.xml:270
 msgid ""
 "By default, the executable representing this service is called <command>sssd_"
 "${service_name}</command>.  This directive allows to change the executable "
@@ -448,45 +474,45 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:258
+#: sssd.conf.5.xml:278
 msgid "Default: <command>sssd_${service_name}</command>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:266
+#: sssd.conf.5.xml:286
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:268
+#: sssd.conf.5.xml:288
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:273
+#: sssd.conf.5.xml:293
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:276
+#: sssd.conf.5.xml:296
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:280
+#: sssd.conf.5.xml:300
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:285
+#: sssd.conf.5.xml:305
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:288
+#: sssd.conf.5.xml:308
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -494,7 +520,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:294
+#: sssd.conf.5.xml:314
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -504,7 +530,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304
+#: sssd.conf.5.xml:324
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -513,12 +539,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:317
+#: sssd.conf.5.xml:337
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:320
+#: sssd.conf.5.xml:340
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -526,17 +552,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:326 sssd-krb5.5.xml:223
+#: sssd.conf.5.xml:346 sssd-krb5.5.xml:223
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:331
+#: sssd.conf.5.xml:351
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:334
+#: sssd.conf.5.xml:354
 msgid ""
 "Exclude certain users from being fetched from the sss NSS database. This is "
 "particularly useful for system accounts. This option can also be set per-"
@@ -545,78 +571,78 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:341
+#: sssd.conf.5.xml:361
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:346
+#: sssd.conf.5.xml:366
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:369
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:358
+#: sssd.conf.5.xml:378
 msgid "override_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:367 sssd-krb5.5.xml:166
+#: sssd.conf.5.xml:387 sssd-krb5.5.xml:166
 msgid "%u"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:368 sssd-krb5.5.xml:167
+#: sssd.conf.5.xml:388 sssd-krb5.5.xml:167
 msgid "login name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:371 sssd-krb5.5.xml:170
+#: sssd.conf.5.xml:391 sssd-krb5.5.xml:170
 msgid "%U"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:392
 msgid "UID number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:375 sssd-krb5.5.xml:188
+#: sssd.conf.5.xml:395 sssd-krb5.5.xml:188
 msgid "%d"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:376
+#: sssd.conf.5.xml:396
 msgid "domain name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:379
+#: sssd.conf.5.xml:399
 msgid "%f"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:380
+#: sssd.conf.5.xml:400
 msgid "fully qualified user name (user@domain)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:383 sssd-krb5.5.xml:200
+#: sssd.conf.5.xml:403 sssd-krb5.5.xml:200
 msgid "%%"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:384 sssd-krb5.5.xml:201
+#: sssd.conf.5.xml:404 sssd-krb5.5.xml:201
 msgid "a literal '%'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:361
+#: sssd.conf.5.xml:381
 msgid ""
 "Override the user's home directory. You can either provide an absolute value "
 "or a template. In the template, the following sequences are substituted: "
@@ -624,138 +650,138 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:390
+#: sssd.conf.5.xml:410
 msgid "This option can also be set per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:395
+#: sssd.conf.5.xml:415
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:398
+#: sssd.conf.5.xml:418
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:401
+#: sssd.conf.5.xml:421
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:405
+#: sssd.conf.5.xml:425
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:410
+#: sssd.conf.5.xml:430
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:415
+#: sssd.conf.5.xml:435
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:418
+#: sssd.conf.5.xml:438
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:422
+#: sssd.conf.5.xml:442
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:427
+#: sssd.conf.5.xml:447
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:430
+#: sssd.conf.5.xml:450
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:435
+#: sssd.conf.5.xml:455
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:438
+#: sssd.conf.5.xml:458
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:442
+#: sssd.conf.5.xml:462
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:469
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:451
+#: sssd.conf.5.xml:471
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:456
+#: sssd.conf.5.xml:476
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:459
+#: sssd.conf.5.xml:479
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:464 sssd.conf.5.xml:477
+#: sssd.conf.5.xml:484 sssd.conf.5.xml:497
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:490
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:473
+#: sssd.conf.5.xml:493
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:483
+#: sssd.conf.5.xml:503
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:506
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:491
+#: sssd.conf.5.xml:511
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -763,59 +789,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:497 sssd.conf.5.xml:550 sssd.conf.5.xml:882
+#: sssd.conf.5.xml:517 sssd.conf.5.xml:570 sssd.conf.5.xml:906
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:523
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:506
+#: sssd.conf.5.xml:526
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:511
+#: sssd.conf.5.xml:531
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:514
+#: sssd.conf.5.xml:534
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:517
+#: sssd.conf.5.xml:537
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:541
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:524
+#: sssd.conf.5.xml:544
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:528
+#: sssd.conf.5.xml:548
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:533
+#: sssd.conf.5.xml:553
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:536
+#: sssd.conf.5.xml:556
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -823,7 +849,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:542
+#: sssd.conf.5.xml:562
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -832,17 +858,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:556
+#: sssd.conf.5.xml:576
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:559
+#: sssd.conf.5.xml:579
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:562
+#: sssd.conf.5.xml:582
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -850,29 +876,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:588
 msgid "Default: 7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:577
+#: sssd.conf.5.xml:597
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:584
+#: sssd.conf.5.xml:604
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:587
+#: sssd.conf.5.xml:607
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:592
+#: sssd.conf.5.xml:612
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -881,56 +907,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:599
+#: sssd.conf.5.xml:619
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:625
 msgid "timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:608
+#: sssd.conf.5.xml:628
 msgid ""
 "Timeout in seconds between heartbeats for this domain.  This is used to "
 "ensure that the backend process is alive and capable of answering requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:633
 msgid "Default: 10"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:639
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:642
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:626
+#: sssd.conf.5.xml:646
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:629
+#: sssd.conf.5.xml:649
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:632 sssd.conf.5.xml:680 sssd.conf.5.xml:734
+#: sssd.conf.5.xml:652 sssd.conf.5.xml:704 sssd.conf.5.xml:758
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:635
+#: sssd.conf.5.xml:655
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -940,14 +966,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:645
+#: sssd.conf.5.xml:665
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:650
+#: sssd.conf.5.xml:670
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -956,39 +982,44 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:661
+#: sssd.conf.5.xml:681
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:664
+#: sssd.conf.5.xml:684
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:688
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:693
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676
+#: sssd.conf.5.xml:696
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:700
+msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:685
+#: sssd.conf.5.xml:709
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:688
+#: sssd.conf.5.xml:712
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -997,47 +1028,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:695
+#: sssd.conf.5.xml:719
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:725
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:728
 msgid "The Data Provider identity backend to use for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:708
+#: sssd.conf.5.xml:732
 msgid "Supported backends:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:711
+#: sssd.conf.5.xml:735
 msgid "proxy: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:714
+#: sssd.conf.5.xml:738
 msgid "local: SSSD internal local provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:717
+#: sssd.conf.5.xml:741
 msgid "ldap: LDAP provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:747
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:750
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -1046,19 +1077,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:739
+#: sssd.conf.5.xml:763
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:766
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:746
+#: sssd.conf.5.xml:770
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1066,7 +1097,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:777
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1074,30 +1105,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:784
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:787
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:766
+#: sssd.conf.5.xml:790
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:796
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:775
+#: sssd.conf.5.xml:799
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -1105,17 +1136,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:781
+#: sssd.conf.5.xml:805
 msgid "<quote>permit</quote> always allow access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:784
+#: sssd.conf.5.xml:808
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:811
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -1124,24 +1155,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:818
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:823
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:826
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:831
 msgid ""
 "<quote>ipa</quote> to change a password stored in an IPA server.  See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -1149,7 +1180,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:815
+#: sssd.conf.5.xml:839
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -1157,7 +1188,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:823
+#: sssd.conf.5.xml:847
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -1165,72 +1196,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:831
+#: sssd.conf.5.xml:855
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:835
+#: sssd.conf.5.xml:859
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838
+#: sssd.conf.5.xml:862
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:845
+#: sssd.conf.5.xml:869
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:848
+#: sssd.conf.5.xml:872
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:876
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:855
+#: sssd.conf.5.xml:879
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:858
+#: sssd.conf.5.xml:882
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:861
+#: sssd.conf.5.xml:885
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:864
+#: sssd.conf.5.xml:888
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:867
+#: sssd.conf.5.xml:891
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:873
+#: sssd.conf.5.xml:897
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:876
+#: sssd.conf.5.xml:900
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -1238,34 +1269,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:912
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:891
+#: sssd.conf.5.xml:915
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:919
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:901
+#: sssd.conf.5.xml:925
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:904
+#: sssd.conf.5.xml:928
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:579
+#: sssd.conf.5.xml:599
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -1273,29 +1304,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:940
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:943
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:922
+#: sssd.conf.5.xml:946
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:954
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:933
+#: sssd.conf.5.xml:957
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -1303,19 +1334,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:912
+#: sssd.conf.5.xml:936
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:945
+#: sssd.conf.5.xml:969
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:971
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -1323,73 +1354,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:954
+#: sssd.conf.5.xml:978
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:981
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:985
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:966
+#: sssd.conf.5.xml:990
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:969
+#: sssd.conf.5.xml:993
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974
+#: sssd.conf.5.xml:998
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1003
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1006
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986 sssd.conf.5.xml:998
+#: sssd.conf.5.xml:1010 sssd.conf.5.xml:1022
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:991
+#: sssd.conf.5.xml:1015
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:994
+#: sssd.conf.5.xml:1018
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1003
+#: sssd.conf.5.xml:1027
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1030
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -1397,17 +1428,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014
+#: sssd.conf.5.xml:1038
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1043
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1022
+#: sssd.conf.5.xml:1046
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -1416,17 +1447,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:1056
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1037
+#: sssd.conf.5.xml:1061
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1040
+#: sssd.conf.5.xml:1064
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -1434,17 +1465,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1047
+#: sssd.conf.5.xml:1071
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1076
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1055
+#: sssd.conf.5.xml:1079
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -1452,18 +1483,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1061
+#: sssd.conf.5.xml:1085
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1071 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
-#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:405
+#: sssd.conf.5.xml:1095 sssd-ldap.5.xml:1400 sssd-simple.5.xml:126
+#: sssd-ipa.5.xml:230 sssd-krb5.5.xml:408
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:1077
+#: sssd.conf.5.xml:1101
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -1493,7 +1524,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1073
+#: sssd.conf.5.xml:1097
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -1502,7 +1533,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1108
+#: sssd.conf.5.xml:1132
 msgid ""
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
@@ -1602,10 +1633,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:88
 msgid ""
-"Specifies the list of URIs of the LDAP servers to which SSSD should connect "
-"in the order of preference to change the password of a user. Refer to the "
-"<quote>FAILOVER</quote> section for more information on failover and server "
-"redundancy."
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference to change the password of a user. "
+"Refer to the <quote>FAILOVER</quote> section for more information on "
+"failover and server redundancy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -2085,7 +2116,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:519 sssd-ldap.5.xml:990 sssd-ipa.5.xml:115 sssd.8.xml:64
-#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:266
+#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:269
 msgid "Default: false"
 msgstr ""
 
@@ -2526,7 +2557,7 @@ msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:356
+#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:359
 msgid "Default: not set"
 msgstr ""
 
@@ -2667,12 +2698,13 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:1080 sssd-krb5.5.xml:77
 msgid ""
-"Specifies the list of IP addresses or hostnames of the Kerberos servers to "
-"which SSSD should connect in the order of preference. For more information "
-"on failover and server redundancy, see the <quote>FAILOVER</quote> section. "
-"An optional port number (preceded by a colon) may be appended to the "
-"addresses or hostnames.  If empty, service discovery is enabled - for more "
-"information, refer to the <quote>SERVICE DISCOVERY</quote> section."
+"Specifies the comma-separated list of IP addresses or hostnames of the "
+"Kerberos servers to which SSSD should connect in the order of preference. "
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
+"colon) may be appended to the addresses or hostnames.  If empty, service "
+"discovery is enabled - for more information, refer to the <quote>SERVICE "
+"DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -3057,7 +3089,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ldap.5.xml:1407 sssd-simple.5.xml:134 sssd-ipa.5.xml:238
-#: sssd-krb5.5.xml:414
+#: sssd-krb5.5.xml:417
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -3104,7 +3136,8 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
 #: pam_sss.8.xml:24
 msgid ""
-"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>forward_pass</"
+"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</"
+"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
 "replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
@@ -3112,7 +3145,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:42
+#: pam_sss.8.xml:45
 msgid ""
 "<command>pam_sss.so</command> is the PAM interface to the System Security "
 "Services daemon (SSSD). Errors and results are logged through <command>syslog"
@@ -3120,24 +3153,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:52
+#: pam_sss.8.xml:55
+msgid "<option>quiet</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:58
+msgid "Suppress log messages for unknown users."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:63
 msgid "<option>forward_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:55
+#: pam_sss.8.xml:66
 msgid ""
 "If <option>forward_pass</option> is set the entered password is put on the "
 "stack for other PAM modules to use."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:62
+#: pam_sss.8.xml:73
 msgid "<option>use_first_pass</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:65
+#: pam_sss.8.xml:76
 msgid ""
 "The argument use_first_pass forces the module to use a previous stacked "
 "modules password and will never prompt the user - if no password is "
@@ -3145,31 +3188,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:73
+#: pam_sss.8.xml:84
 msgid "<option>use_authtok</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:76
+#: pam_sss.8.xml:87
 msgid ""
 "When password changing enforce the module to set the new password to the one "
 "provided by a previously stacked password module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: pam_sss.8.xml:83
+#: pam_sss.8.xml:94
 msgid "<option>retry=N</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:86
+#: pam_sss.8.xml:97
 msgid ""
 "If specified the user is asked another N times for a password if "
 "authentication fails. Default is 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: pam_sss.8.xml:88
+#: pam_sss.8.xml:99
 msgid ""
 "Please note that this option might not work as expected if the application "
 "calling PAM handles the user dialog on its own. A typical example is "
@@ -3177,24 +3220,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:99
+#: pam_sss.8.xml:110
 msgid "MODULE TYPES PROVIDED"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:100
+#: pam_sss.8.xml:111
 msgid ""
 "All module types (<option>account</option>, <option>auth</option>, "
 "<option>password</option> and <option>session</option>) are provided."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: pam_sss.8.xml:106
+#: pam_sss.8.xml:117
 msgid "FILES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:107
+#: pam_sss.8.xml:118
 msgid ""
 "If a password reset by root fails, because the corresponding SSSD provider "
 "does not support password resets, an individual message can be displayed. "
@@ -3202,7 +3245,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:112
+#: pam_sss.8.xml:123
 msgid ""
 "The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
 "filename> where LOC stands for a locale string returned by <citerefentry> "
@@ -3214,7 +3257,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:122
+#: pam_sss.8.xml:133
 msgid ""
 "These files are searched in the directory <filename>/etc/sssd/customize/"
 "DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
@@ -3222,7 +3265,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: pam_sss.8.xml:130
+#: pam_sss.8.xml:141
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>8</"
 "manvolnum> </citerefentry>"
@@ -3482,11 +3525,11 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ipa.5.xml:83
 msgid ""
-"The list of IP addresses or hostnames of the IPA servers to which SSSD "
-"should connect in the order of preference. For more information on failover "
-"and server redundancy, see the <quote>FAILOVER</quote> section.  This is "
-"optional if autodiscovery is enabled.  For more information on service "
-"discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
+"The comma-separated list of IP addresses or hostnames of the IPA servers to "
+"which SSSD should connect in the order of preference. For more information "
+"on failover and server redundancy, see the <quote>FAILOVER</quote> section.  "
+"This is optional if autodiscovery is enabled.  For more information on "
+"service discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
@@ -4302,48 +4345,50 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:262
 msgid ""
-"Please note that this feature currently only available on a Linux platform."
+"Please note that this feature currently only available on a Linux platform. "
+"Passwords stored in this way are kept in plaintext in the kernel keyring and "
+"are potentially accessible by the root user (with difficulty)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:272
+#: sssd-krb5.5.xml:275
 msgid "krb5_renewable_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:275
+#: sssd-krb5.5.xml:278
 msgid ""
 "Request a renewable ticket with a total lifetime given by an integer "
 "immediately followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:280 sssd-krb5.5.xml:316
+#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
 msgid "<emphasis>s</emphasis> seconds"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
+#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
 msgid "<emphasis>m</emphasis> minutes"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
+#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
 msgid "<emphasis>h</emphasis> hours"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
+#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
 msgid "<emphasis>d</emphasis> days."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
+#: sssd-krb5.5.xml:295 sssd-krb5.5.xml:331
 msgid "If there is no delimiter <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:296
+#: sssd-krb5.5.xml:299
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "renewable lifetime to one and a half hours please use '90m' instead of "
@@ -4351,97 +4396,97 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:302
+#: sssd-krb5.5.xml:305
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:308
+#: sssd-krb5.5.xml:311
 msgid "krb5_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:311
+#: sssd-krb5.5.xml:314
 msgid ""
 "Request ticket with a with a lifetime given by an integer immediately "
 "followed by one of the following delimiters:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:332
+#: sssd-krb5.5.xml:335
 msgid ""
 "Please note that it is not possible to mix units.  If you want to set the "
 "lifetime to one and a half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:337
+#: sssd-krb5.5.xml:340
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:344
+#: sssd-krb5.5.xml:347
 msgid "krb5_renew_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:347
+#: sssd-krb5.5.xml:350
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:352
+#: sssd-krb5.5.xml:355
 msgid "If this option is not set or 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-krb5.5.xml:362
+#: sssd-krb5.5.xml:365
 msgid "krb5_use_fast (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:365
+#: sssd-krb5.5.xml:368
 msgid ""
 "Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
 "authentication. The following options are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:370
+#: sssd-krb5.5.xml:373
 msgid ""
 "<emphasis>never</emphasis> use FAST, this is equivalent to not set this "
 "option at all."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:374
+#: sssd-krb5.5.xml:377
 msgid ""
 "<emphasis>try</emphasis> to use FAST, if the server does not support fast "
 "continue without."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:378
+#: sssd-krb5.5.xml:381
 msgid ""
 "<emphasis>demand</emphasis> to use FAST, fail if the server does not require "
 "fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:382
+#: sssd-krb5.5.xml:385
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:385
+#: sssd-krb5.5.xml:388
 msgid "Please note that a keytab is required to use fast."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-krb5.5.xml:388
+#: sssd-krb5.5.xml:391
 msgid ""
 "Please note also that sssd supports fast only with MIT Kerberos version 1.8 "
 "and above. If sssd used used with an older version using this option is a "
@@ -4459,7 +4504,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:407
+#: sssd-krb5.5.xml:410
 msgid ""
 "The following example assumes that SSSD is correctly configured and FOO is "
 "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
@@ -4468,7 +4513,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-krb5.5.xml:415
+#: sssd-krb5.5.xml:418
 #, no-wrap
 msgid ""
 "    [domain/FOO]\n"
@@ -4478,7 +4523,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-krb5.5.xml:426
+#: sssd-krb5.5.xml:429
 msgid ""
 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
 "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"